Squish the Quish – Stop and Think Before You Access a QR Code

What are quishing attacks and why are they growing in popularity?

Back in May, I attended Cyburgh, an annual conference held by the Pittsburgh Technology Council to bring together cybersecurity professionals and enthusiasts across the Greater Pittsburgh region to discuss challenges and opportunities within the cybersecurity industry.

I was enraptured by one of the keynote speakers, Summer Craze Fowler, then-Senior VP of Cybersecurity and IT at Motional. As she moved through her slide deck, she really worked to engage the audience with humor and pop culture references to liven up the cybersecurity discussion she was leading us through. She moved to one slide with a QR code, and I was surprised when she said something like, “Don’t worry. This QR code is safe, I promise.”

QR codes aren’t safe? I thought to myself as I picked up my iPhone to scan the QR code to access the link.

Once COVID-19 restrictions eased in 2021, QR codes were everywhere you went – restaurants, bars, retail stores, the office. They became second nature to me, and I’m assuming to many others too. Even my grandmother knows how to scan a QR code via her iPhone. When something becomes expected as a convenience and established as a norm, it’s natural to let your guard down and assume it’s inherently safe.

But QR codes should make us all pause.

What’s so bad about QR codes?

Quishing is defined as a phishing attack initiated via a QR code. And make no mistake about it, quishing is on the rise. According to research conducted by Check Point, there was a significant increase of 587% in quishing attacks between August and September 2023. QR codes can direct you to a website, add a contact, download an attachment, initiate an email, or another action, which could or could not be malicious. Malicious information or links can easily be encoded in the standard QR code image format. This makes it harder to detect if it’s malicious or not because it will appear as a “normal looking” QR code you’re exposed to every day.

What can I do to protect myself and my company?

Awareness is key. Knowing that you should be wary of QR codes – at home, work or in public – is the first step. Take the precautionary measure to verify the domain associated with a QR code before you scan it.

Also, if you’re using a mobile device to scan a QR code, remember that there are often fewer security measures than on your network-connected corporate devices. Some devices automatically go the URL when you hover over the code, and even if your device prompts you to accept the redirect, the link could be malicious. Be sure to double check the that the URL is valid just as you would on a web browser and avoid scanning any codes you find in the wild.

For example, if you are eating at a restaurant with QR code menus, be sure to verify the URL is legitimate before clicking through. Remember, it takes seconds for a threat actor to cover up a genuine QR code with a malicious one.

Always alert your IT team if you receive a suspicious email with a QR code. When in doubt, don’t scan!

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.