QR code phishing: cybercriminals take aim at the C-suite
QR code phishing, or āquishingā, is a growing cyber threat exploiting the ubiquity of QR codes ā and as a member of the C-Suite, youāre the prime target. Donāt be a sitting duck. Shield yourself from this scam by understanding how it works, why youāre in the firing line, and how to prevent it.
Amid their determination to tweak existing techniques to avoid detection, cybercriminals have developed a phishing attack that targets our reliance on QR codes ā the two-dimensional barcodes that allow quick access to online information through a smartphone or tablet camera.
Dubbed quishing, this social engineering attack has risen in prominence since the pandemic when these quick-response codes were used to support social distancing rules. Since then, they have remained part of everyday life ā from quickly directing users to food and drink menus to ordering and paying for goods and services.
What is quishing?
Quishing attempts to deceive victims into scanning a malicious QR code with one of two intentions:
- To begin downloading malware on their device that compromises data, disrupts operations, or gains unauthorised access to a system.
- To direct them to a bogus website where theyāre misled into providing sensitive information the attacker can either harvest for financial gain or leverage to commit further social engineering attacks.
How does QR code phishing work?
Regular phishing emails imitate communications from trusted sources, emphasising urgency to dupe victims into clicking on malicious links. The only difference with quishing scams is victims are encouraged to scan a QR code thatās embedded in the email.
Why are cybercriminals including QR codes rather than links in phishing emails?
- The widespread use of malicious links in emails makes people increasingly wary of clicking on them. To overcome this vigilance cybercriminals harness QR codes to disguise links to malicious websites.
- The security tools that detect phishing emails typically only scan links, allowing QR code images to circumvent them ā although more vigilant tools have been developed to help identify this threat.
- Victims scan the QR code using a personal device that typically contains weaker security controls than a corporate system.
Quishing doesnāt just rely on emails to trick victims. A BBC News report sheds light on a new technique: fake QR codes are being stuck on genuine car parking payment information signs. This nascent quishing scam, which exploits the move to mobile payments, directs drivers to a fraudulent website, where instead of paying for their parking, they expose their payment data to cybercriminals.
Awareness of quishing remains less prevalent than traditional phishing techniques, making it an enticing option for cybercriminals. According to a recent phishing threat trends report, quishing attacks rose from 0.8% in 2021 to 10.8% in 2024.
Business impact of QR code phishing
Because quishing attacks often involve a personal device thatās beyond the corporate security perimeter, they can be difficult for businesses to prevent. Cybercriminals also attach QR codes in PDF documents, making it even harder for traditional security controls to identify and block quishing emails before they reach employees.
Smaller firms are particularly vulnerable to quishing. Research shows they experience attack rates up to 19 times higher than larger companies amid insufficient resources to implement advanced security tools and awareness training ā and the impact can be severe:
Reputational damage
High-profile data breaches due to quishing can cause lasting damage to a brandās reputation, eroding customer trust, retention and engagement.
Non-compliance fines
Businesses may face significant costs from legal fees and regulatory fines in the wake of an attack.
Operational disruption
Malicious QR codes might exploit vulnerabilities that allow attackers to compromise a businessās IT infrastructure, resulting in system downtime.
Why is the C-suite in the firing line?
Research shows that as a member of the C-Suite, youāre 42 times more likely to be sent a quishing email than other employees. Youāre targeted for several reasons, including:
- Your access permissions typically expose the most confidential and valuable information.
- Cybercriminals can leverage your authority by sending fraudulent requests to internal and external parties from your compromised account.
- If multiple people have access to your inbox, such as an executive assistant, they represent a potential entry point that can be exploited.
How TDM Group can help you prevent quishing
We recognise that without sufficient knowledge and understanding of cybersecurity threats, employees are the weakest link in your digital security perimeter. Our proactive security training empowers them to identify phishing attacks before they can become incidents. The next layer in the prevention process is our phishing attack simulator, plus additional training for employees who fail to meet the required standard.
This proactive approach to safeguarding your businessās infrastructure and data is reinforced by our intelligent security analytics and threat monitoring services. These essential tools deliver real-time insights that ensure rapid response to phishing risks, mitigating damage.