In the world in continuous evolution of cybercrime, malicious actors are constantly finding new ways to exploit modern technologies to their advantage. THE QR codesonce seemingly harmless, have now become the latest tool in the hacker arsenal, ushering in a new era for phishing attacks. And here we are catapulted into the era of “quishing“.
Difference between phishing and quishing
Phishing, a term that has had echoes in the cybersecurity landscape, is one form of social engineering that unscrupulous actors employ to manipulate individuals into revealing sensitive information, such as usernames, passwords, or even installing malicious software. Its various iterations have adapted over the years and the latest incarnation uses QR codes. This is where the quishing.
If the company behind the QR code had nefarious motives, the scan would lead to the Automatic ransomware download on your smartphone. This is exactly what quishing involves, essentially trying to deceive individuals into believing that something is benign or essential, when in reality it hides sinister intent. The ultimate goal: access personal information, steal bank account credentials, and more.
Why quishing poses a threat
I QR code they have infiltrated every aspect of our lives and for this reason we have widely accepted them, finding them in restaurants, public transport, advertising, and even product packaging. Also developing a sort of trust in the content, impenetrable to the naked eye, which hides behind the checkerboard of black and white dots.
Cybercriminals for their part are acutely aware of the fact that most consumers assume they are harmless. Furthermore, mobile phone users represent the ideal target audience. Because unlike desktop operating systems, they do not include phishing protection.
At present, most attacks involve quishing Cyber criminals who send QR codes via email. Typically, these emails disguise themselves as urgent requests for account verification, warning recipients of impending ban if they don’t act promptly.
The idea is simple: an individual views the QR code in the email from their desktop and scans it with their phone, giving free access to the device to which they entrust personal information every day, including that stored in banking apps.
However, the potential exploitation of QR codes extends beyond email. Nothing stops a cyber criminal from placing these codes in public spaces, counting on the curiosity of passers-by.
What to do to protect yourself from quishing
The simplest approach is refrain from scanning QR codes, especially those from unverified sources. Scan a QR code only after validating the source and, even in this case, it is best to do so sparingly and only when absolutely necessary.
If you receive an email containing a QR code, your first step should be to verify the authenticity of the sender. If the email appears to come from Company X, but the sender address appears suspicious or unrelated, it is most likely a quishing attempt.
In general, QR codes in emails should be greeted with skepticism. Legitimate companies usually provide clear instructions for any necessary actions and they rarely require you to verify your account via a QR code. As for those around the world, it’s best not to give in to temptation.
Even if it is possible configure security options within the app to scan QR codes on your smartphone. For example, you may request to view the full web address before confirming any action. This procedure may slow down usage, but of course user safety benefits.
To know more: IT security, guide to safe browsing on the web