QR code phishing

What is QR code phishing?

QR code phishing, or quishing, is a social engineering phishing attack that intentionally deceives its recipient into scanning a QR code, redirecting the person to a bogus website. Most often sent embedded in an email, these code images sidestep security controls and most link filters, making them far more dangerous than most other forms of phishing.

The rise of QR code technology

Invented in 1994 in Japan for automotive company Denso Wave to assist in labeling parts, QR codes, or quick-response codes, are code-encrypted images consisting of black-and-white squares deciphered by Reed-Solomon error correction.

Unlike one-dimensional barcodes, which can only be scanned from top to bottom, QR codes are scanned from top to bottom and left to right. Nowadays, these codes are designed and sent to direct users to a URL, aid in sending emails or text messages and display a message to its recipient.

Broader applications began as far back as 1997. Adoption was slow, though its use steadily increased during the last decade. However, QR code use exploded recently, especially following the pandemic. It's expected more than 100 million U.S. smartphone users will scan a QR code in 2025.

How QR code phishing works

Much like a regular phishing email, quishing scams imitate marketing emails from reputable, trusted sources, such as financial agencies. The message emphasizes urgency and encourages quick action, providing a link for the recipient to click. This malicious link leads to a site that either requests login credentials, asks for personal data such as a home address or a PIN, or instantly begins downloading some type of malware.

While numerous articles and workplace courses detail spotting and reporting email phishing scams, quishing remains less known, making it an alluring option for cybercriminals. Indeed, the widespread use of QR codes has spilled over from emails to near ubiquity. They can be found in newspapers, magazines or any public place.

Risks and consequences

Because it's designed to circumvent most forms of filtering and security, quishing is riskier than other phishing scams. There are several risks and consequences with quishing.

Harm to the individual

As with most phishing scams, quishing comes with the intent of installing malware on the device of its victim to steal personal and financial information. Targets of quishing often end up falling victim to compromised personal devices, identity theft and, most commonly, financial fraud.

Corporate financial implications

The most common end goal of quishing scams is the illicit acquisition of money. A study conducted by Ponemon in 2021 concluded that large organizations suffered more than $15 million in phishing-related loss, equaling approximately $1,500 per employee.

The amount of financial loss is also increasing. Direct financial loss from phishing attacks increased by 76%, according to Proofpoint's "2023 State of the Phish" report.

Data security concerns

Many quishing scams compromise sensitive consumer data. These breaches not only release confidential information the individual client believed secure, they damage the reputation of the victimized company, likely resulting in a loss of customers and reduced revenue.

Common targets of quishing

Given that most attackers seek monetary gain, the most common targets of these campaigns are businesses and infrastructures that hold sensitive financial information, such as banks, online stores, IT companies and payment systems. While attacks on these businesses at large are a very real security threat, quishing affects individual account holders, too.

Scammers singling out individuals tend to mask themselves as widely recognized and trustworthy corporations -- Amazon, Wells Fargo, LinkedIn and Apple among them -- to lure would-be victims into a false sense of familiarity and trust, making them more likely to scan the QR code without questioning the source.

Preventive measures

There are steps to avoid a quishing scam. As with any other scam, avoid responding to emails with a sense of urgency, look for other red flags around the QR code and apply normal security measures such as proper password hygiene.

Recognizing legitimate QR codes

When verifying the source of a QR code in an email or automated text message, there are several potential signs of fraud. No QR code received without warning or from an unfamiliar sender should be scanned without further research into the source. Even if it appears valid, contact the business in question to verify its legitimacy.

If encountering a random QR code outside, whether in a park, a restaurant or any other congregation site, look for signs of tampering, such as the existence of a hidden code underneath.

Applying best mobile security practices

In general, apps designed to scan QR codes are unnecessary. The only tool needed to scan a code is a smartphone's preinstalled camera app.

Password safety is the most useful tool in preventing cyberattacks. Passwords are most protective when treated as passphrases, or meaningful phrases to the user, with letters replaced by numbers and special characters. Using multiple passphrases for different accounts keeps personal information secure and prevents attacks.

For example, most services that require a password nowadays -- YouTube, Google, Microsoft -- and almost all social media platforms have the option to use the multifactor authentication method for login. These extra barriers make it more difficult for hackers and other cybercriminals to access personal and business accounts. They're more likely to give up.

An installed security app or antivirus software is the most dependable defense against malicious links. Security apps and antivirus software block automatic downloads and warn against linking to illegitimate sites.

Becoming familiar with phishing tactics

Individual users and businesses must strive to regularly educate themselves on the changing tactics of phishing and what various attacks look like in the first place.

The majority of quishing emails stress urgency to emotionally manipulate the recipient. Recipients should read through the email first and check the address it comes from. Fraudulent messages typically contain spelling errors or incorrect information. And no legitimate email ever makes demands for personal information or classified professional information.