Cyber Security

What is Quishing?

Find out about a popular new phishing attack called quishing, or QR phishing. Find out how it works, and how your business can defend against it.

Jason McNicholas Headshot

Jason McNicholas Cyber Essentials Plus Assessor

23/02/2024 4 min read

Introduction

Malicious actors are always coming up with new and innovative ways to steal your money and information. This means it’s all the more important to be aware of these new attacks as they appear and know how to spot and respond to them. In this article I’ll be bringing attention to a new attack that has become increasingly common in recent months. That attack is called ‘Quishing’, and it is a specific new variant of the much broader attack known phishing.

Share this Article

A recap on Phishing

You’ll probably already be familiar with phishing in some form – and have probably been on the receiving end of a phishing attack. If you need a refresher, this ‘what is phishing’, article does a good job of laying down the basics. Phishing takes many forms, including spear phishing, whaling, smshing and vishing. It’s a form of social engineering in which a scammer pretends to be somebody trustworthy such as a friend, subscription service or a bank to convince a person to do something for them, such as:

  • Reveal confidential information
  • Click on a malicious link
  • Give them credentials

Quishing explained

Quishing is a new form of phishing that uses QR codes, and it’s becoming more popular – you may have even already seen it in the wild. A QR code, or Quick Response code, is a two-dimensional barcode that stores information in a machine-readable format. These can be read and interpreted your smartphone camera and store a variety of information. QR codes are designed to be used for a range of different purposes including:

  • Linking to websites
  • Making instant payments
  • Storing event ticket information
  • Saving contact information directly to a device

QR codes look like this:

This QR code is not malicious and links to the Bulletproof.co.uk homepage

How does a quishing attack work?

In the case of QR code phishing, attackers create a malicious QR code that, when scanned by a mobile device or QR code reader, leads the user to the same kind of activities as we see in other types of phishing. This could be a fraudulent website, a fake login page that captures sensitive information, or a URL that delivers malware. As for how the QR code gets to you in the first place, often it’s via an email, pretending to be from a reputable company, or from a friend’s email address. No, your friend probably hasn’t turned into a cyber criminal, but their email might have been hacked. Social media apps and messaging apps like Whatsapp are also attack vectors for quishing.

How to defend against quishing?

Quishing has the potential to get through spam filters and antimalware protection that may be scanning emails. If a malicious link is sent in an email, a spam filter or antimalware software would scan and block this, however, if the malicious link is a QR code, it may be seen as ‘just an image’ and therefore would not trigger a spam filter or malware scanner.

Cyber security is a constant game of cat and mouse between good guys and cyber criminals. New technologies present new opportunities and challenges, and the bad guys are often the first to exploit new tech capabilities. While QR codes might slip through some spam filters and anti-malware programs now, the defensive tech will evolve to combat QR-based threats.

In the meantime, I recommend the same defence as any other type of phishing attack: education. Regular security awareness training is a fundamental part of stopping all cyber attacks, but especially for phishing and social engineering attacks.

Top Tips for Security Awareness Training

  1. 1

    Keep training up to date

    For security training to be effective, it should always be reviewed, updated and provided regularly to include advice on new threats in the ever-evolving landscape of cyber security.

  2. 2

    Show how to spot quishing attacks

    Tells users how to spot phishing attempts. Often Quishing attempts may still show common red flags of other phishing attacks such as bad spelling/grammar, misspelt/strange sender Email address and a cover story to make you take an action without thinking about it i.e. a time limit before your account is deleted.

  3. 3

    Tell users how to respond

    This one varies according to your company policies, but I recommend reporting the email to your IT department, not just deleting it. This way tech teams can start to mount a proactive defence.

Why is quishing getting so common?

The rise of quishing attacks highlights how hackers and malicious actors are adapting to people becoming more security conscious and aware of the risks of links in emails. This advice, although correct and important, does not usually stretch to QR codes specifically and may lead a user to scan the QR code without thinking of the security repercussions as it may not have been specifically outlined as a potential risk to them in the past.

Start with the basics

In the ever-evolving cyber landscape, where hackers continually devise innovative ways to exploit vulnerabilities, our awareness becomes paramount in safeguarding against emerging threats. We must never forget that there are malicious actors always trying to find new and unexpected ways to exploit and attack. It can never be understated how important awareness and knowledge of emerging threats are for preventing attacks and data breaches. And even things as straightforward as reading this blog can be the difference between falling for quishing and remaining safe online.

Building a multi-layered security strategy can help overcome the impact of a successful quishing attack. And I recommend getting the basics right first. A good example here is Cyber Essentials certification and especially Cyber Essentials Plus. This makes you look at the elemental security components of your organisation and build a strong foundation. Even businesses with a mature security strategy can benefit from Cyber Essentials certification. Who knows, you might even get me as your Cyber Essentials Assessor!

Jason McNicholas Headshot

Meet the author

Jason McNicholas Cyber Essentials Plus Assessor

Jason’s experience as a Cyber Essentials Plus Assessor has given him a keen insight into helping businesses make smart, effective improvements to their security posture. He leverages his technology background to make Cyber Essentials certification as painless as possible for his clients.

Protect your business with Cyber Essentials

Keep hackers out of your business with Cyber Essentials. Protect against quishing and keep your data secure. Find the right Cyber Essentials package to suit your needs.

Find the right package now

Related resources


Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.