QR (Quick Response) codes have become ubiquitous as smartphones have become more popular. Furthermore, due to the COVID-19 epidemic, most industries and sectors are getting digitized, with online payments becoming a significant part of this new ecosystem. However, malicious actors can use a counterfeit QR code, causing the link’s original destination to be diverted to a phishing website. QR code phishing identification levels are rising gradually in proportion to the research discovering online and email phishing. These new phishing attacks are called “Quishing” attacks. This article provides information on such QR code attacks, recognizing such frauds, and how to stop phishing emails.
How Are QR Codes Being Used for Phishing?
Scanning a fake QR code on a smartphone may trigger a prompt to open a link or download a malicious file. Fraudsters can easily exploit the codes to hide unsafe links since one cannot identify them visually. Malicious actors can direct individuals to phishing sites and carry out various exploits on their devices using phishing QR codes.
Scammers try to make phishing links appear authentic by changing popular corporate and government agencies’ names to make them appear legitimate. Furthermore, they utilize shortened URLs, which means there is no way of verifying where it will redirect you just by looking at it. The threat of QR codes is not limited to phishing links. Malicious actors can also use QR codes for payments, verification of information, downloading unwanted applications and malware to your devices, and more.
What Makes QR Code Phishing Attacks A Big Threat?
Various reasons make QR codes being used for phishing attacks more severe than spear-phishing, including:
- No Detection: One cannot detect QR code phishing attacks as no software checks the legitimacy of QR codes. On the other hand, you can identify regular phishing attacks as they cannot pass spam filters and have misspellings or phony email senders.
- Wide Range of Attacks: QR codes are not limited to payments and can be used for adding contacts, downloading malicious applications, making phone calls, and uploading personal information, which makes them more dangerous.
- No Email Protection: QR code phishing attacks can shield some or all the malicious information inside a message to bypass traditional email protection.
- Widely Deployed: These attacks are not just limited to spoofing emails or messages but can be found in many public places. Malicious actors can deploy fake QR codes in airports, bus stops, restaurants, flyers, spurious advertisements in emails, and other public places.
- Not Human-readable: The biggest challenge of QR codes is that human eyes cannot read them. QR codes can only be scanned using devices. After that, they can redirect you to malicious URLs or download applications for extracting personal information from your device.
The Latest QR Code Phishing Attacks
There are numerous QR code phishing attacks occurring worldwide. German e-banking users reported a new phishing attack that involved the use of QR codes in phishing emails. The emails contained seemingly formal content and bank logos and prompted users to consent to an updated data policy by reviewing new security features. The emails also had QR codes that redirected to phishing websites asking for the bank’s branch, code, username, and PIN.
Adversaries deployed another QR code phishing attack to steal Microsoft Office 365 user credentials. Attackers sent the messages using compromised emails of legitimate users and organizations. The emails contained voice messages that required scanning an attached QR code to access the voicemail. QR codes in phishing have given rise to new methods using which threat actors can harm you. They are not just limited to emails and can be present in public places to trick you. Moreover, QR code phishing might be challenging to detect.
How to Identify And Protect Against QR Code Phishing Attacks?
QR code phishing attempts often redirect you to phishing websites identifiable if you have a keen eye. Below is information on identifying and protecting against QR code phishing attacks.
- Verifying QR Codes: There is a level of security since you must scan QR codes first. Always make sure to verify the sender behind QR codes. You can do so easily by contacting the sender or following up with the official website.
- Avoid Strange Links: Anonymous messages with phishing links or QR codes may redirect you to fake websites, prompt payments, or download malware to your device. Therefore, you should avoid opening unsolicited emails and notifications that look suspicious.
- Alternative Payment Methods: QR codes might be a new way to make online payments quickly. However, it is better to use alternative payment methods such as mobile wallets, wire transfers, etc., to safeguard yourself against QR code scams.
- Avoid Shortened URLs And Tampered QR Codes: Always look at a link before clicking on it and avoid clicking on shortened links. Malicious actors can also place a phishing QR code over a legitimate one. Therefore, be cautious of QR codes that appear to be fiddled.
- Multi-factor Authentications: QR codes may redirect you to legitimate-looking phishing pages asking you to enter your login credentials. You can recognize them by examining the email address but using multi-factor authentication can help save you as it requires additional checks for login activity.
- Mobile Security: Many excellent antivirus programs, anti-phishing solutions, are available in the market. They can detect malicious links, misspellings, and sandboxes to run all downloads safely.
- Avoid QR Locked Applications: QR codes can also be used to prevent the opening of applications and files unless scanned. You should avoid such applications and attached files for protection.
With the advancement of security systems, malicious actors have also improved their methods to target individuals and organizations. The latest QR code phishing method is more hazardous since specific email security measures like URL scanners cannot detect fraudulent links or attachments in QR codes. There will soon be more advanced and sophisticated detection methods for detecting fraudulent QR codes. Until then, you can stay safe by following the above email phishing protection and anti-malware solutions for the best security of your information systems and critical data.