QR codes used for phishing or "quishing" are now increasing and are a significant threat to both individuals and organizations. Barracuda Networks experts see an increasing risk with these types of attacks becoming increasingly sophisticated, complex and difficult to detect.
The attacks trick recipients into visiting malicious websites or downloading malware.
What makes them particularly dangerous is that they are difficult to detect using traditional email filtering methods. A fake QR code is usually not the only sign of a malicious email. But with, for example, AI and image recognition technology, they can be revealed. AI-based detection also takes into account other characteristics such as sender, content, image size and location.
- Users should exercise caution when scanning QR codes delivered via email or other channels. If you must scan QR codes, we recommend downloading a known QR code scanner from a trusted app store. If QR code attacks are not included in the organization's cyber security training, it is important to address it as soon as possible. Although QR codes have made our daily lives easier, they have also opened up new avenues for cybercriminals, says Olesia Klevchuk who works on email security at Barracuda Networks.
Some examples of "quishing"
One way to practice "quishing" is to embed QR codes in e-mail messages and prompt recipients to scan the code and visit a fake page that gives the impression of being trustworthy. Victims are usually tricked into entering their login credentials which are then intercepted by the attacker. Fake QR codes can also lead to surveys or forms that request personal information such as name, address or social security number. Victims can be lured with promises of rewards or prizes in exchange for information or even a small payment.
Similarly, QR codes can link recipients to websites that automatically download malware to the victim's device when scanned. The malware can range from spyware to ransomware, allowing attackers to steal data or take control of a compromised device.
QR codes can also be used to open payment sites, follow social media accounts, and even send prescriptive emails from recipient accounts. This means hackers can easily impersonate their victims and target others in their contact lists.
English 
Svenska