Organizations need to be aware of the threat posed by QR code phishing (quishing), according to researchers at Trend Micro.
“Phishing emails continue to be the number one attack vector for organizations,” the researchers write.
“A QR code phishing, or quishing attack, is a modern social engineering cyber attack technique manipulating users into giving away personal and financial information or downloading malware. It targets C-level executives and the highest strategic roles within a company.”
Since QR codes don’t use a text-based link, they can slip past email security filters to target humans directly. Humans likewise can’t analyze the link itself before scanning the code.
“Quishing can bypass traditional security email gateways, evading email filtering tools and identity authentication,” Trend Micro says. “This allows cyberattacks to move from a protected email to the user’s less secure mobile device, where cybercriminals can obtain confidential information, such as payment details, for fraudulent purposes.
For instance, a malicious QR code hidden in a PDF or an image (JPEG/PNG) file attached to an email can bypass email security protection, such as filtering and flagging. This allows the email to be delivered directly to the user’s inbox without being analyzed for clickable content.”
Trend Micro says users should be on the lookout for the following red flags associated with QR codes:
-
“No context. Exercise caution if the QR code lacks context or appears out of place, such as QR codes randomly placed in a public area
- Web links. Avoid sites accessed through QR codes that request payments. Instead, enter a known and trusted URL for transactions
- Overlays. Be wary if the QR code is placed over existing signs or labels, as scammers may try to cover up legitimate information
- Too much information: Be skeptical of QR codes that ask for excessive permissions (e.g., access to your camera, contacts, or location) beyond what is necessary”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Trend Micro has the story.