QR code phishing: 14 quishing prevention tips

How a QR code works

A QR code, or quick response code, is a square barcode -- an image consisting of black squares on a white background -- that contains data. When a user points a compatible camera or app at a QR code, it scans the data and initiates an action, typically opening a webpage. It could also trigger a phone call, text message or digital payment.

QR codes are easy and inexpensive to create, and businesses often use them to facilitate customer interactions and transactions. A legitimate QR code might, for example, contain event ticketing details, payment portal information or a link to a company website. But the rising popularity of QR codes has also made them an attractive attack method for cybercriminals.

How quishing works

Traditional phishing campaigns try to induce users to download attachments or click on hyperlinked text. Email-based quishing attacks hide malicious links within QR code images and attempt to convince users to scan them using secondary mobile devices. Malicious QR codes are challenging to catch and block because most antiphishing email filters analyze texts and links but not images.

In a worst-case scenario, a successful quishing attack could compromise an enterprise user's credentials and give attackers access to a private corporate network. This could, in turn, lead to a data breach, ransomware attack or other serious cybersecurity incident.

In some cases, users might also encounter QR code scams offline. For example, criminals have previously attached QR code stickers to parking meters to direct drivers to fraudulent payment portals.

14 quishing prevention tips

The best way to prevent quishing -- or any type of phishing -- is to cultivate an educated user base. With that in mind, enterprises should provide security awareness training that teaches users the following:

• Never scan a QR code from an unfamiliar source. Check and double-check the sender's email domain.
• If a QR code comes from a trusted source via email, confirm using a separate medium -- e.g., text message, voice call, etc. -- that the message is legitimate.
• Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to user emotions -- e.g., sympathy, fear, etc. Misspelling and grammatical errors should also raise suspicion.
• Use only built-in mobile device cameras or trusted apps from reputable software vendors to scan QR codes. Consider using a QR code scanning app with built-in security features.
• Proceed with extreme caution if a QR code points to a site that asks for personal data, login credentials or financial information.
• Observe good password hygiene by changing passwords frequently and never using the same password for more than one account.

Organizations should also consider the following quishing prevention security measures, which help combat all types of phishing:

• Use allowlisting and blocklisting and keep lists up to date.
• Use antispam filters.
• Implement and enforce strong email security policies.
• Implement and enforce strong password policies.
• Require MFA.
• Deploy email security gateways.
• Enlist threat intelligence services.

Finally, some organizations might decide to avoid QR code use entirely. In this case, inform and regularly remind employees that they should not scan any QR codes they receive on their professional accounts or using company devices.

Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity.