Quishing or QRishing is a brand of phishing scam that uses QR codes to trick victims into downloading malware or sharing personal data. Despite its unthreatening name, quishing poses a real risk to businesses. However, with the right knowledge, you can stop your business from falling prey to these attacks, read on for everything you need to know.
Why QR codes?
Read most media and you’ll see plenty of stories about the security threat posed by AI or the latest nation-state attack. However, cybercrime doesn’t have to involve the latest tech or be the height of nefarious sophistication. In fact, it’s often simple scams that get you.
QR codes have been around for almost three decades. Very few people think of them as on the bleeding edge of technology, more something you use to attend an event or scan for a marketing gimmick. Yet, since they’ve seen a resurgence in their use post-pandemic, they’ve stirred up a hornet’s nest of security problems.
The most prominent of these problems is quishing. QR code technology might not be sophisticated by today’s standards, but it does lend itself well to phishing scams.
Why? Unlike a URL or email address, QR codes are hard to evaluate for legitimacy. A QR code is opaque to the human eye, making it indecipherable without a scanner. This means that by the time the victim has realised the QR code is bogus, it’s often too late.
Did you know that 47% of SME leaders believe cybercrime has increased during the cost of living crisis? Read our report to find out why.
How big is the threat?
Phishing is by far the most common form of cyberattack. According to the DCMS Cyber Security Breaches Survey 2024, 84% of businesses in the UK experienced a phishing attack in 2023.
When it comes to quishing specifically, the scant figures available are equally ominous. Research from cybersecurity company Vade detected over 20,600 quishing attacks in one seven-day period in 2023.
What’s more, it isn’t just the spectre of falling victim that threatens businesses. If your business uses QR codes, cybercriminals could hijack them to target your customers.
What does a quishing attack look like?
Quishing attacks are versatile and can take any number of forms. We’ve seen examples of them conducted in person, with a scammer approaching the victim and asking them to scan a QR code for some sort of benefit. However, the most common approach is to send an email, much like a typical phishing scam, with a QR code included.
This approach was exemplified by the Microsoft 365 quishing attack in 2023. The attack began with a phishing email asking users to reactivate their multi-factor authentication (MFA). The email used the Microsoft Authenticator logo giving it a veneer of legitimacy. Once the victim scanned the code and clicked the embedded link they were sent to a webpage that infected their device with malware.
Microsoft eventually managed to get the situation under control and issued these instructions for detecting a scam, but not before thousands of users had been attacked.
The most obvious fallout from a successful quishing scam is financial harm. Research from BDO found that among the six in ten organisations in the UK hit by phishing scams the average loss was around £245,000.
What are the consequences of a breach?
However, the potential consequences can hit more than your pocket. If the scammers manage to steal customer’s personal data, you could also be looking at serious reputational damage and regulatory fines. What’s more, your standing among partners and suppliers could take a hit too.
How can you protect your business?
Like all phishing attacks, quishing relies on social engineering to trick victims. This means it can be tricky to recognise a bogus QR code, particularly when it’s attached to a seemingly legitimate message. But that doesn’t mean it’s impossible. Here are a few things you can do to protect your business.
1. Provide cyber awareness training for staff
Staff security training is the most important tool for protecting your business from quishing attacks. The rationale behind this is simple. If your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them.
Cyber awareness training can go a long way towards resolving this problem. It can give them the basic cyber skills to spot and avoid a potential threat. And, it needn’t be extensive or time-consuming, just a few hours a month on the basics and regular updates on new threats can make all the difference.
2. Deploy MFA
Multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.
3. Use an Anti-malware tool
Anti-malware software focuses on defending against the latest threats. An effective tool should protect your business against ransomware, spyware, sophisticated phishing attacks, and zero-day attacks. Most anti-malware tools constantly update their rules, meaning you’ll be protected swiftly against any new threats, including the malware injected by quishing scams.
4. Protect your network
Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:
- Install a network firewall to filter network traffic
- Use a VPN to encrypt network traffic
- Segment your network to eliminate single points of failure
- Regularly update your router’s firmware
5. Follow software providers’ advice
As we saw in the example earlier, cybercriminals will often try to imitate software providers when launching a quishing attack. Software providers such as Microsoft are all too aware of the threat and many have released guidance on how to counter a scam.
6. Limit user access
Limit who has access to what within your business. Staff should only have admin rights within a system or application if it’s critical for their role. It might sound a bit draconian, but the reasoning behind it is sound. If a cybercriminal compromises a user account through a phishing campaign, the fewer permissions that account has the less damage a hacker can do.
7. Tie it all together
Don’t be put off by the length of the list above. If you’re unsure about where to start, complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification.
These certifications can help you adopt good cybersecurity practices (including all of the above) and build your cyber confidence.
However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where continuous cybersecurity monitoring tools like CyberSmart Active Protect can help by giving you an ‘always-on’ view of your business’s defences.
Want to know more about the threats facing small businesses? Check out our guide to SMEs and the cost of living crisis. In it, you’ll find insight from real small businesses on the threats they face and practical suggestions for mitigating them.