What is quishing? It’s where QR codes are being hijacked to bypass multi-factor authentification (MFA) protections.

How? Quishing is when cyber criminals use fake QR codes to trick users into scanning them, leading an unsuspecting user to a fraudulent website or even tricking people into making payments to the wrong bank account. Sometimes it’s blatant, like someone putting a fake QR code sticker over a real one. You think you are scanning a legitimate QR code on a sign, billboard, etc but you are instead, scanning the fake one.

 These fraudulent QR codes are also sent in emails too where, like a phishing attempt, the subject line of the email is made to look like it’s from your company.

So, when the employee scans the QR code using their phone, they’re redirected to a phishing page that looks like a Microsoft365 login but it’s really one controlled by the hackers. These fake landing pages are designed to steal login credentials and gather your MFA data - using a technique known as adversary-in-the-middle (AiTM). It’s where a bad actor tricks the user into skipping the MFA process and acts on behalf of the user instead. One company, Sophos said that quishing emails sent to its staff had several red flags, including a mismatch of the attachment filename in the body, missing text in the subject and body, and a sender name that does not match the usual corporate format.

What happens next if you’re compromised? The attacker then tries to use the employee’s information to gain access to an internal application.  They do it by relaying the stolen MFA token in near real-time – this enables the attacker to go around the normal MFA process.

The Quishing problem – it’s a big challenge for organizations since it will involve multiple devices. For example, if a user receives an email with a QR code on one device, the employee will probably then scan the fake QR code with another device that redirects to webpage . Organizations have to educate employees about the dangers of receiving quishing emails at a work email address. The employee may then scan the fake QR code using their phone. And of course, personal phones are not usually subject to the organization’s cybersecurity policies.  The employee’s phone lacks anti-phishing defenses, making it difficult to prevent, detect, and track potential compromises.

 Organizations also have to anticipate quishing attack sent as an email to an employee’s personal email too. Even worse – In this case, it won’t be blocked by corporate anti-phishing defenses. So, if the employee scans the email with a business cell phone, that company’s cell phone could be infected by malware if the threat is not blocked by a company’s security solutions.

 How can organizations prevent quishing attacks?

• Just like with other phishing attempts, the IT team needs to train employees about the risks of scanning QR codes from emails.

• Employees can use an Email Scanner – they may be able to identify quishing emails based on text content, the QR code itself, or other red flags.

• Just don’t risk scanning untrusted QR codes. Plus,  employees need to be reminded to always double check URLs after they scan a QR code - before they ever enter sensitive information.

And of course – employees must enable Multi-Factor Authentication (MFA) to lower the downsides, if an employee’s credentials are entered into a phishing site.

In short – you’ll want to always double-check before you scan any QR code or when making a payment – be vigilant  and just assume it could always be a phishing attempt like you have seen in your earlier emails.

 Sources:

 Sophos: https://news.sophos.com/en-us/2024/10/16/quishing/

 Tech Radar: https://www.techradar.com/pro/qr-codes-are-being-hijacked-to-bypass-mfa-protections