Browse Definitions :
Definition

QR code phishing

What is QR code phishing?

QR code phishing, or quishing, is a social engineering phishing attack that intentionally deceives its recipient into scanning a QR code, redirecting the person to a bogus website. Most often sent embedded in an email, these code images sidestep security controls and most link filters, making them far more dangerous than most other forms of phishing.

The rise of QR code technology

Invented in 1994 in Japan for automotive company Denso Wave to assist in labeling parts, QR codes, or quick-response codes, are code-encrypted images consisting of black-and-white squares deciphered by Reed-Solomon error correction.

Unlike one-dimensional barcodes, which can only be scanned from top to bottom, QR codes are scanned from top to bottom and left to right. Nowadays, these codes are designed and sent to direct users to a URL, aid in sending emails or text messages and display a message to its recipient.

Broader applications began as far back as 1997. Adoption was slow, though its use steadily increased during the last decade. However, QR code use exploded recently, especially following the pandemic. It's expected more than 100 million U.S. smartphone users will scan a QR code in 2025.

How QR code phishing works

Much like a regular phishing email, quishing scams imitate marketing emails from reputable, trusted sources, such as financial agencies. The message emphasizes urgency and encourages quick action, providing a link for the recipient to click. This malicious link leads to a site that either requests login credentials, asks for personal data such as a home address or a PIN, or instantly begins downloading some type of malware.

While numerous articles and workplace courses detail spotting and reporting email phishing scams, quishing remains less known, making it an alluring option for cybercriminals. Indeed, the widespread use of QR codes has spilled over from emails to near ubiquity. They can be found in newspapers, magazines or any public place.

Risks and consequences

Because it's designed to circumvent most forms of filtering and security, quishing is riskier than other phishing scams. There are several risks and consequences with quishing.

Harm to the individual

As with most phishing scams, quishing comes with the intent of installing malware on the device of its victim to steal personal and financial information. Targets of quishing often end up falling victim to compromised personal devices, identity theft and, most commonly, financial fraud.

Corporate financial implications

The most common end goal of quishing scams is the illicit acquisition of money. A study conducted by Ponemon in 2021 concluded that large organizations suffered more than $15 million in phishing-related loss, equaling approximately $1,500 per employee.

The amount of financial loss is also increasing. Direct financial loss from phishing attacks increased by 76%, according to Proofpoint's "2023 State of the Phish" report.

Data security concerns

Many quishing scams compromise sensitive consumer data. These breaches not only release confidential information the individual client believed secure, they damage the reputation of the victimized company, likely resulting in a loss of customers and reduced revenue.

Common targets of quishing

Given that most attackers seek monetary gain, the most common targets of these campaigns are businesses and infrastructures that hold sensitive financial information, such as banks, online stores, IT companies and payment systems. While attacks on these businesses at large are a very real security threat, quishing affects individual account holders, too.

Scammers singling out individuals tend to mask themselves as widely recognized and trustworthy corporations -- Amazon, Wells Fargo, LinkedIn and Apple among them -- to lure would-be victims into a false sense of familiarity and trust, making them more likely to scan the QR code without questioning the source.

Preventive measures

There are steps to avoid a quishing scam. As with any other scam, avoid responding to emails with a sense of urgency, look for other red flags around the QR code and apply normal security measures such as proper password hygiene.

Recognizing legitimate QR codes

When verifying the source of a QR code in an email or automated text message, there are several potential signs of fraud. No QR code received without warning or from an unfamiliar sender should be scanned without further research into the source. Even if it appears valid, contact the business in question to verify its legitimacy.

If encountering a random QR code outside, whether in a park, a restaurant or any other congregation site, look for signs of tampering, such as the existence of a hidden code underneath.

Applying best mobile security practices

In general, apps designed to scan QR codes are unnecessary. The only tool needed to scan a code is a smartphone's preinstalled camera app.

Password safety is the most useful tool in preventing cyberattacks. Passwords are most protective when treated as passphrases, or meaningful phrases to the user, with letters replaced by numbers and special characters. Using multiple passphrases for different accounts keeps personal information secure and prevents attacks.

For example, most services that require a password nowadays -- YouTube, Google, Microsoft -- and almost all social media platforms have the option to use the multifactor authentication method for login. These extra barriers make it more difficult for hackers and other cybercriminals to access personal and business accounts. They're more likely to give up.

An installed security app or antivirus software is the most dependable defense against malicious links. Security apps and antivirus software block automatic downloads and warn against linking to illegitimate sites.

Becoming familiar with phishing tactics

Individual users and businesses must strive to regularly educate themselves on the changing tactics of phishing and what various attacks look like in the first place.

The majority of quishing emails stress urgency to emotionally manipulate the recipient. Recipients should read through the email first and check the address it comes from. Fraudulent messages typically contain spelling errors or incorrect information. And no legitimate email ever makes demands for personal information or classified professional information.

This was last updated in January 2024

Continue Reading About QR code phishing

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • cybersecurity

    Cybersecurity is the practice of protecting internet-connected systems such as hardware, software and data from cyberthreats.

  • Advanced Encryption Standard (AES)

    The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government to protect classified ...

  • operational risk

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business ...

CIO
  • Risk Management Framework (RMF)

    The Risk Management Framework (RMF) is a template and guideline used by companies to identify, eliminate and minimize risks.

  • robotic process automation (RPA)

    Robotic process automation (RPA) is a technology that mimics the way humans interact with software to perform high-volume, ...

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with three-dimensional (3D)...

HRSoftware
  • OKRs (Objectives and Key Results)

    OKRs (Objectives and Key Results) encourage companies to set, communicate and monitor organizational goals and results in an ...

  • cognitive diversity

    Cognitive diversity is the inclusion of people who have different styles of problem-solving and can offer unique perspectives ...

  • reference checking software

    Reference checking software is programming that automates the process of contacting and questioning the references of job ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close