Since the COVID-19 pandemic, many people have become accustomed to using their smartphone cameras to scan quick response codes, or QR codes. These allow people to access restaurant menus, pay bills, and submit information without the need to make contact with objects or other people.
As the popularity of QR codes skyrocketed, however, cybercriminals found an opportunity to exploit them in a new attack called squishing.
What is quishing, and how does it work?
Quishing is a type of phishing attack where cybercriminals leverage QR codes to trick unsuspecting users into opening fraudulent websites designed to steal sensitive information.
This new type of phishing scam recently targeted drivers at several pay-to-park kiosks in Texas wherein scammers attached fake QR codes on pay stations. And in Atlanta, a group of scammers were found placing fake parking tickets with a QR code on cars.
Fraudulent QR codes have also appeared on online ads, billboards, and phishing emails. One common email tactic is to ask recipients to scan a QR code to access an encrypted voice message. In these incidents, scanning the code will take victims to a phony website that asks for their personal information.
By using QR codes to link to a website, threat actors can bypass cybersecurity solutions like secure email gateways (SEGs) that scan for malicious links and attachments. Fraudulent QR codes can also be generated quickly, so they’re unlikely to be recognized and flagged by an SEG’s blocklist.
By using QR codes to link to a website, threat actors can bypass cybersecurity solutions like secure email gateways (SEGs) that scan for malicious links and attachments.
Should your business be concerned about quishing attacks?
Quishing is a relatively new type of phishing attack and businesses need to be aware of the dangers it poses. And with QR codes being used in a greater variety of applications, this type of scam will likely only become more prevalent.
For example, in the future, your employees may receive more phishing emails that contain a QR code and ask them to scan it to access a message or document. If your employees fall for this, your business may suffer a security breach that endangers your company’s sensitive data. An attacker could also place a fake QR code sticker on one of your company’s products or advertisements to trick customers into divulging their personal information, ruining your reputation in the process.
How can you protect your business from quishing scams?
To defend your business from these attacks, you need to do the following:
1. Enable multifactor authentication (MFA)
MFA requires users to provide at least one more authentication factor aside from a username and password. This could be a one-time code, physical key, or a facial or fingerprint scan. By enabling MFA, even if a cybercriminal acquires an employees’ login credentials, they won’t be able to access the account without providing the subsequent authentication factors.
2. Educate your staff
Teach your staff to always inspect the legitimacy of an email’s sender address and any QR codes, links, or attachments that come with the message. For instance, if a link with a shortened URL (e.g., bit.ly) appears when they scan a QR code, they should avoid opening the link as it could lead to a malicious website. Finally, instruct your employees to not scan QR codes from unknown sources.
3. Use a reputable security solution
Invest in a comprehensive security solution that can protect your business from phishing attacks and other cyberthreats. A good security solution includes an anti-phishing module that can block malicious emails, as well as an antivirus program that can detect and remove malicious software.
4. Keep your web browsers updated
Security patches for web browsers are released regularly to fix security vulnerabilities that cybercriminals can exploit. As such, you should download and install a browser update as soon as it becomes available.
You can also partner with a dependable managed IT services provider like Complete Document Solutions for the best protection against quishing and other related scams. We will also take care of all threats before they can cause downtime to your business. Drop us a line today to know more.