QRishing – A New Version of an Old Scam

QR codes are everywhere these days. Codes can be found on restaurant menus (since the start of COVID), company websites, business cards, flyers, brochures, etc. Most individuals are likely to have seen one or scanned one at some point recently. A QR code, also known as a “Quick Response” code is a small square image, similar to a barcode that most modern smartphones can scan with its camera. Once scanned, the QR code prompts the recipient to continue to a URL that the QR code represents. But the next time you see a QR code and are tempted to scan it, be cautious.

By now, we’ve all either heard of, known someone who has been impacted by, or have been impacted ourselves by a phishing, vishing, smishing, HTTP phishing, spear phishing, pop up phishing, or clone phishing attempt. But if that wasn’t enough to worry about, we now have a new attack vector to be on the lookout for: QRishing, also known as quishing.

What is QRishing?

QRishing is a method of phishing utilizing fraudulent QR codes sent via email from compromised email addresses to unknowing recipients. Attacks can also be received through social media, text messages, physical mail, flyers, and any other location you might find a QR code. It could even be a sticker on a park bench that piqued your curiosity. Here is an example of a common QRishing attack: you receive an email notifying you that you missed a call on your work phone, and the email contains a QR code that you can supposedly scan to access that voicemail. You are then prompted to enter your Microsoft credentials on what appears to be a legitimate Microsoft login page. And that is it – your account has now been compromised by a QRishing attack!

While many of us would probably see an email with a QR code and know right away that something isn’t right, attackers are also very good at putting themselves in your shoes and crafting delivery methods for these QR codes that they believe you will fall for. QR codes are not new, but they are rarely used in the business world for this purpose. The attackers are betting on curiosity, naivety, or simply acting too fast before the recipient realizes something is wrong.

QRishing Examples

In one example, a victim told the BBB Scan Tracker that they received a fraudulent letter about their student loan. The letter contained a QR code that appeared to point to the official Studentaid.gov website. The QR code, which hid the full URL until clicked and displayed in the browser, made the victim less apt to check the URL like one may when it is shown in plain text, or in a hyperlink that can be hovered over to examine. That is one of the greatest dangers with this new attack vector. With phishing emails, you can hover over a hyperlink and determine the URL it will send you to – but with a QR code, you must scan it first with your phone, and sometimes you are only given a shortened URL preview that could be misleading.

When it comes to QR codes sent via email, most common email security filters are challenged in detecting and blocking these codes since the email accounts they come from are legitimate, and contain no links, attachments, or malicious URLS. The most crucial step to stopping your employees or family from falling victim is continuous security awareness training. If the recipient knows what to look for and avoid, they may not fall for this new version of an old scam.

Work With Compass IT Compliance to Train Your Team Against QRishing Attacks

The main tip here is to be wary of QR codes just like you would any URL, attachment, or unfamiliar email you may come across. Train your users and be vigilant. Compass IT Compliance offers a wide range of services, including phishing and social engineering assessments that can incorporate QRishing if desired. Contact us today to learn more and discuss your unique situation!