Quishing: Sneaky QR Code Scams to Look Out For

While phishing is still a serious threat, I thought I would address another multiplying one: malicious QR codes. This is now officially called “quishing” to go along with phishing, vishing (voice), and smishing (SMS). Sitting in the airport writing this, I’m surrounded by QR codes, from the restaurant to customer service to every ad on the wall. They are so convenient, but they are essentially a URL that you cannot see to validate before you click them. We are now starting to see more and more instances where bad actors use these for nefarious purposes.

New Scenarios of QR Code Scams

In Honolulu, they had stickers with a QR code on parking meters to allow you to pay for parking and keep track of the time you had left. Some industrious person went through and replaced the stickers with one of their own that looked identical. Instead of parksmarter.com, it was sent to a parksmarter.app, where they had duplicated the website and collected for parking. This is a simple and easy thing for a fraudster to do.

There have also been several instances of package scams where a package that was not ordered arrives at your location. To return it, you scan the QR code and provide the necessary information. Most of the time, they are working to create a scenario where they can collect your credit card information through this.

Using QR Codes in Business Email Compromise (BEC) Ploys

Recently, we have seen a huge uptick in malicious QR codes embedded in emails. Users receive an email saying that their password is about to expire and that they can scan the QR code from their phone to update their credentials. We have seen many different emails like this. Over the course of the last few weeks we have seen almost 90% of the phishing emails that were coming in with links switch over to QR codes that get past the filters.

These QR codes get you to use your phone, which might help get the bad actor around any blocks that the company would have in place to stop these types of links. The URL will take you to a site that proxies your login to appear legitimate, but it records those credentials in the process.

These scams can also record the cookie sent after you authenticate with passwordless or MFA. And now they have an authenticated session that lasts as long as your MFA is good (maybe 14, 30, or 90 days!).

QR Code Best Practices

It’s simple: don’t use them!

• In public spaces, request the URL that you can preview and visit at your own discretion.

• Similarly, in a restaurant scenario, ask if they have a physical menu available.

• Avoid using QR codes in marketing or internal processes to encourage employees and members to adopt the change.

• Invest in Information Security/Phishing training for staff: the rise and convergence of quishing and phishing represents a serious risk

• Send some training messages to your user community to let them know you will not be using QR codes to ask for authentication in emails.

Keep your eyes open and stay up-to-date on emerging risks. Pure IT’s vCISO program helps credit unions holistically mature their security posture, including training for users and board members, developing incident response plans, and directing efforts after an exam or audit.