The ParaFlare Security Operations team has observed a surge in ‘quishing’ emails recently – a new email scam combining Quick Response (QR) codes and phishing.

The scam is being seen across many businesses, and while current security products and detections are being developed to better detect this type of phishing, there are actions you can take to better safeguard against these opportunistic threats.  

How it works

A quishing email, like other phishing scams, seeks to steal your passwords and personal data, and will come in various forms designed to prompt you to act, such as “MFA details expiring at X date.”

Quishing works by embedding an image file of the malicious QR code into the body of an email. This is currently bypassing the majority of security measures most businesses and organisations have in place. This will then prompt the user to scan using a mobile device, which often has weaker antivirus and anti-phishing protection.

In addition to quishing, criminals will also put up fraudulent QR codes in public places, such as parking meters, train stations and bus stops with the aim of tricking people and capturing their personal information.

What you can do

Employees

Phishing (and quishing) scams are highly effective because busy people often miss the signs within a malicious email, criminals are getting better at what they do, and the ubiquitous nature of email communication makes it an effective platform.

We recommend the following:

1. If you receive an email with a QR code, look for common phishing tactics.
   – Is there an urgent or timely request?
   – Is it poorly written? Are there small mistakes in the sender’s address?
   – Still not sure? Pick up the phone and call the sender.
   
2. If the sender is unfamiliar, do not scan the QR code. Find another way to verify the information.
   
3. If you scan the code, a preview will pop up on your mobile device. This is your chance to check for:
   – misspelling of names
   – Bing redirections
   – shortened links.
   
4. If the page/link, is asking for credentials never enter them, instead:
   – close the browse
   – visit the website directly.

Security teams

We recommend the following:

1. A mobile defence/antivirus solution such as Microsoft Defender for Android and iOS
2. Review and enhance IAM security measures and detections such as MFA and Conditional Access.

Additional information

What is a QR code?

QR codes are an image that can store information such as website links, emails, phone numbers, payment details and much more. QR codes by their nature are difficult for humans to read but allow for quick and easy interactions using our mobile devices. QR codes have been used since the 1990s but became widespread during the COVID-19 pandemic to make interactions more seamless without the need for human interaction.