QR code phishing, or Quishing, is gaining popularity among fraudsters when stealing user accounts and payment information.
Easy for users, easy for fraudsters
QR codes are often used by services to make the sign-in process and sharing of information easier and more user-friendly. A common example can be signing into your account from a new device, where instead of typing the username and password, you can simply scan the presented QR code from the app and seamlessly log in.
While this makes the process simple, it can be easily abused. The most common fraud targets are Google and Microsoft accounts, however, attackers are also trying to impersonate subscription and parcel delivery services.
How does it work?
Fraudsters send out well-crafted emails impersonating the service usually along the lines that there was “an issue with your payment” or “a suspicious login was detected”, prompting the user to solve the fictional issue by scanning the QR in order to log in and resolve it. Scanning the code, however, leads to a fraudulent website that will steal user’s credentials.
Quishing campaigns have been spotted targeting both end-users and enterprises worldwide. This technique is highly beneficial for the attackers for multiple reasons:
- While phishing links are scanned by most email security solutions, a simple image with a code will go undetected and the final link destination is obscured from the user until they scan it.
- QR codes also naturally redirect people to use their phones in order to scan them. Due to a smaller screen, users are usually less vigilant when it comes to checking the links.
Having Protective DNS, such as the one provided by Whalebone, can safeguard users against the links embedded in the QR code, as the security solution checks the link destination in the background even on people’s phones, preventing access to the fraudulent site.
