HQ/EMEAFind out how we can help your business
Northern Ireland’s law enforcement agency has issued an advisory regarding a new threat called Quishing that leveraged malicious QR codes. The attack is a phishing campaign through QR codes to lure unsuspecting victims.
The advisory highlighted the need for local companies to enhance their employees’ cybersecurity awareness to identify and mitigate this emerging threat.
Quishing is a traditional phishing campaign that uses QR codes.
Based on the advisory, Quishing is a new phishing method with the primary objective of deceiving its victims with QR codes so they will provide their sensitive information or unsuspectingly install malware.
In this campaign, unsuspecting individuals receive malicious emails, including a PDF or PNG image containing a QR code. These messages indicate that the perpetrators impersonate popular brands, such as Microsoft Authenticator, to enhance the credibility of the phishing attempt.
This method of operation allows the phishing email to bypass standard security solutions, making recipients more likely to trust the sender. The attack will redirect the recipients to a URL that hosts malware once they scan the QR code. In some instances, the QR code contains a deceptive login page that could harvest credentials.
This is not the first time a QR code-based phishing attack has infested users worldwide. During the COVID-19 pandemic, a similar campaign has terrorised Healthcare providers after the hospitality industry increasingly adopted QR codes.
The pandemic inadvertently created opportunities for cybercriminals to develop new cybercriminal methods. In 2020, scammers exploited the pandemic by sending fraudulent emails and text messages promising access to COVID-19 vaccines by scanning QR codes.
In addition, a couple of months ago, a substantial quishing campaign targeted companies’ customers across various sectors, including energy, manufacturing, insurance, technology, and financial services. Security experts explained that QR code scams are particularly effective because they often lack the spelling and language errors that could raise suspicions among meticulous individuals.
Organisations should invest more in cybersecurity training for their employees. These trainings will allow their employees to increase their awareness of such scams, leading to a more secure environment. Staying vigilant and informed is essential to mitigating the impact of such threats since threat actors will continue to upgrade their attacks.
