What Is QR Code Phishing (Quishing)?

QR phishing, or quishing, is a phishing attack where an attacker tries to trick a victim into interacting with a QR code image. The QR code usually redirects users to a page where they are prompted to enter login credentials.

Unfortunately, these pages are malicious copies, and attempting to log in gives attackers access to credentials, compromising the user’s account. Learn more about how QR code attacks work, why they’re increasingly common, what they lead to, and how to stop them.

Consider this real QR code attack that Abnormal detected. At first glance, the email appears trustworthy – it’s a friendly reminder from Microsoft that your MFA password is set to expire, so you need to update it:

All you have to do is scan the QR code with your phone. Once you do, you’re redirected to a Microsoft-branded login page where you can enter your credentials to update your password.

Easy, right?

Unfortunately, the page is a malicious spoof, and your credentials go straight to an attacker. At this point, your account is compromised.

This playbook is relatively simple to replicate, and it follows the classic phishing attack playbook:

• The email appears to come from Microsoft, a trusted source.

• The email contains manufactured urgency with the password set to expire that day.

• The email funnels the user into sharing their credentials.

Attackers continually develop new techniques to bypass both individual awareness and organizational security defenses. One of the fastest-growing tactics is QR code phishing attacks, which are rising in frequency due to several factors:

1. Traditional email filters struggle with QR images. At first glance, a QR code appears to be a benign image without a malicious URL or suspicious text. However, we found that 17% of all attacks get through built-in spam filters (from Google or Microsoft, for example) that use QR codes.

2. People are using QR codes more and more in their daily lives. Menus, boarding passes, and payment apps normalize scanning, so employees hesitate to question a QR code in an email.

3. A QR code moves the attack away from a secure email to a user’s phone, which doesn’t have the same lateral protection and posture management as a cloud-based business environment.

The QR code attacks that Abnormal uncovers are primarily phishing attempts. These emails use urgency and impersonation to trick a user into interacting with a QR code that redirects to a website that looks like a legitimate login page.

QR codes have various malicious uses besides a classic phishing attack. When successful, any of these approaches can compromise login credentials, financial information, sensitive data, and more.

Some of the most common uses for these codes are:

• Malware Downloads: Malicious QR codes can link to infected websites that automatically download malware to compromise devices or steal data.

• Invoice Fraud: Cybercriminals use specific QR codes to direct users to fake billing portals, tricking them into paying fraudulent invoices.

• Login Hijacking: Scanning a malicious code may lead to a spoofed login page designed to harvest credentials for account takeover.

• Email Impersonation: Attackers embed malicious QR codes in spoofed emails to impersonate trusted contacts and manipulate recipients into harmful actions.

Abnormal blocks quishing with a three-pronged behavioral AI approach:

1. We use natural language processing and understanding to identify unusual or unknown email senders, urgent language, and impersonated email addresses – all hallmarks of QR phishing attacks.

2. Our AI-native detection engine decodes the QR code to extract and display the URL, using URL detection capabilities to identify if it’s malicious.

3. Detects unusual behavioral signals commonly associated with QR code attacks by understanding normal business relationships and communication patterns.

On an individual level, the simplest way to avoid a quishing attack is by ignoring any QR code from an unknown source. But that’s easier said than done, particularly at a large enterprise.

Here’s what organizations can do to reduce the odds of a QR phishing attack:

• Use an email security solution that can parse a QR code in the body of an email to detect malicious URLs.

• Don’t rely on QR codes for MFA or other legitimate uses, as employees will begin to trust emails with QR codes.

• Conduct security awareness training and simulations that educate and test employees on unknown QR codes.

Ready to see how Abnormal can stop QR code phishing before it reaches your workforce? Request a demo and experience AI-native email security in action.