layer 1 layer 2 layer 3 layer 4 layer 5 abstract shapes

The Rise of Quishing

Posted 25th November 2023

A QR Code Concern

All digital technology tools and applications are created to make tasks quicker and simpler with convenience at the heart of their design. However, whenever a technology reaches mass adoption by the general public it generally means that people engage with it in a more automated way, without the checks and balances that we undertake with unfamiliar processes. This kind of interaction is the perfect environment for cyber criminals to develop their operations and attempt to extract our personal information, infect our devices, or steal our money.

QR codes are the latest digital tool to carry this type of threat. Recent data has shown that in the period between August and September 2023, there was an almost 600% rise in QR code phishing and it’s easy to see how, and why, scammers have chosen it as their newest weapon.

Open Access Equals High Risk

The statistics for QR code use in the UK and Europe demonstrate exactly how much they have become part of our everyday lives, with 86% of mobile device users scanning at least one QR code and 36% scanning one or more every week.

Quishing, as it has become known, is a sophisticated criminal response to the conditions of a recently post-pandemic world that relies on QR codes as a non-contact, and reusable, way of sharing and receiving information. Restaurant menus, GP Surgery sign-ins, and advertising campaigns were all quick to make use of this simple technology and it’s now a common site to see them make up part of an email too.

A Modern & Mobile Cyberthreat

The process of Quishing follows the tried and tested methods that email phishing and SMS Text phishing have employed for a long time. They are all dependent on messaging that promotes urgency, jeopardy and danger to prompt the user to make quick decisions and follow a set of instructions without pausing to investigate any authentication or legitimacy. 

The Quishing email attempts to get the user to click on a QR code by pretending to be a genuine request to confirm details, add information or access a user account. It’s estimated that between 80-90% of all targeted cyberattacks begin with an email, and their success is always reliant on this pattern of human behaviour.

The traditional practice for these scams is to send the unwitting user to a website that then asks for personal information or financial data and payments. Quishing makes this journey even quicker with less friction in the process and a primary focus on mobile to add to the urgency it encourages.

Worryingly, there is also evidence that Quishing is responsible for automatically downloading malware onto devices immediately after scanning on the spoofed code. This instant impact represents a new advantage for the criminals and requires an appropriate response from those of us responsible for cyber security.

Look for Scams before you Scan

We asked the BCN Security team to provide us with three easy ways to try and combat the recent Quishing trend.

1. Report. Report. Report.

Sharing information across your organisation is an essential tool for defence against all cyber-attacks. If you have identified something that strikes you as suspicious then ensure that you report it to the person responsible for cyber security at your company. There should be a protocol in place to follow for these situations and it makes sense to find out exactly what that is before you need it. Prevention is always much better than a cure in the cybersecurity world.

2. You Should Really Check the URL

Scanning any QR code brings up the URL of the website it will take you to before you are directed there. Taking just ten seconds out to check this and see if you recognise the URL is a simple and important line of defence. Does anything look unfamiliar? Is it a website that you recognise or have visited before?

If you are in any doubt whatsoever then don’t click through.

3. Spelling Out Success

It’s much more likely that you will encounter a Quishing threat via an email rather than in an offline or real world situation. This means you have the advantage of being able to investigate the communication that accompanies it. The Achilles Heel of the cybercriminal is often in bad spelling, grammar or poor structuring of language. Take a read through the email and look for mistakes or anything that appears unusual. Perhaps even ask a colleague to perform a second opinion on your behalf. Again, if you are alerted or unsure then don’t go any further.

360 Degrees of Defence Against Cyber Threats

Our Security team is dedicated to identifying any new threats with rigorous research and testing. They are constantly monitoring the cyber security landscape to give all BCN partner clients a valuable advantage for the safety of their IT environments and users.

BCN is committed to doing our part to make the digital world safer for everyone. That is why we have a dedicated, specialist team to engage clients and developed our Cyber Security Pledge – created to help protect your business from cyber threats.

Contact us today to see how we can start, or develop, your cyber security credentials together

Get in touch down down down