QR Code Phishing Attacks: Threat Actors Are Now Shopping Online with You

Olesia Klevchuk, Director of Email Protection at Barracuda, discusses the prevalence of QR code phishing attacks and how cybercriminals are utilizing quishing to exploit data, download malware, compromise personal devices, and what individuals need to be mindful of when spotting a quishing attack.

By Olesia Klevchuk, Director of Email Protection, Barracuda

In recent years, QR codes are among one of the many technologies that have reemerged with more efficiency and convenience than before. The two-dimensional barcode allows users to share website URLs, make payments, or share contact information from their mobile devices. However, with efficiency comes a cost – and while QR codes have opened new opportunities for individuals to utilize advanced technology, it’s also opened more opportunities for hackers to intervene.

Now, hackers are embedding malicious QR codes into shopping coupons, phishing emails, payment sites, and social media accounts – also known as “quishing” attacks.

As technology becomes smarter, so do hackers, and individuals need to be mindful of these new methods so they can stop attackers in their tracks. With proper cybersecurity training and the help of AI, quishing can be avoided, and QR code technology can be used to its advantage.

QR Code Attacks’ Secret Weapon: Creating a False Sense of Trust

Imagine you receive an email from your bank, informing you about a security update for your mobile banking app. The email explains that you need to update the app immediately to prevent any potential security breaches and keep your finances safe, so you scan the QR code with your mobile device – redirecting you to a site that replicates your bank’s interface and prompting you to enter your login details. The update is seemingly “successful.” A couple days later, you have several unauthorized transactions, your account has been compromised, and you realize you are a victim of a QR code attack.

Quishing attacks utilize social engineering tactics that make individuals more susceptible to the threat. These attacks frequently exploit the trust of people who use their mobile devices for regular digital interactions, such as emails, messages, or payment sites. This creates a false sense of familiarity, directing victims into a deceptive comfort zone to give out their credentials. Specifically, attackers mainly use quishing attacks to spread phishing links, malware downloads, or compromise a device.

QR Code Attacks: Emails, Malicious Downloads,  and Compromised Devices

QR code attacks can manifest in different ways which present unique threats to individuals’ security. Quishing often comes in the form of a malicious email link, prompting recipients to scan a QR code and redirecting them to a counterfeit website that masquerades as a trusted application or service. Individuals are then encouraged to submit their personal information or login credentials, unknowingly offering their personal data to the attacker. Additionally, quishing attacks can also come in the disguise of surveys that ask victims for their personal information, including their social security number. These malicious links and forms serve as bait for victims, making it easy for attackers to receive personal information.

Malware from malicious websites can also automatically be downloaded to a victim’s device. The dangerous malware can range from spyware to ransomware, granting attackers the ability to pilfer data or even seize control of a victim’s device – serving as a huge threat to individuals’ security.

Additionally, scanning a QR code can be used to open payment sites, follow social media accounts, or send malicious email messages from a compromised victim’s account. This tactic allows hackers to impersonate their victims or target others in their network.

AI Imaging and Recognition Technology are Crucial to detect Quishing

With advanced technology, AI and image recognition can be a pivotal defense mechanism in detecting quishing attacks. AI-based detection can analyze a range of signals, from image size and placement, content analysis, or sender behavior to determine whether there is malicious intent behind the QR codes. This technology looks through data and specific patterns to help identify potential threats, providing a shield against these attacks.

It is also important to educate users on specific QR code attacks given the prevalence of advanced technology. Cybersecurity professionals are encouraged to educate individuals through security awareness training on how to quickly thwart and identify these attacks and their impact on organizations.

The ever-evolving technological landscape has not only allowed tech to get smarter, but has allowed hackers to level up their attacks. The complex and multifaceted nature of QR code attacks calls for a proactive response, and cybersecurity leaders and individuals must be wary of how easy it is to fall prey to these attacks. Implementing cybersecurity safety training programs and enabling AI with image recognition technology can be pivotal in avoiding compromised devices, malware downloads, and ultimately providing safety to individuals’ personal data.

About the Author

Olesia Klevchuk is the current Director of Email Protection at Barracuda where she oversees the product marketing team and is skilled in the realm of cybersecurity, SaaS, enterprise software, and go-to-market strategies. Prior to her time at Barracuda, Olesia was the Senior Product Marketing Manager for MarkMonitor and Intermedia – where she continued prospering her career in strategic messaging and positioning. Olesia received her B.A in History and Sociology at the University of Reading and received two M.Sc’s; one in Political Science at the University of Bristol and another in Research and Statistical Analysis at the University of Glasgow.

Olesia Klevchuk can be reached online at Olesia Klevchuk and at our company website https://www.barracuda.com.