Phishing is by far the most common type of cybercrime. According to Internet Crime Complaint Center (IC3) data, individual users reported almost 300,000 phishing and spoofing attacks in 2023, compared to fewer than 56,000 personal data breaches. Researchers with Zscaler ThreatLabz found that phishing attacks increased more than 58 percent in 2023.
A 2024 report by Egress found that 94 percent of organizations fell victim to phishing attacks in the preceding 12 months, and 96 percent were “negatively impacted” by those attacks. Phishing played a role in 79 percent of account takeover attacks, with malicious actors using spear phishing to gather sensitive information.
Attackers are using new techniques to increase the success of their phishing campaigns. According to Egress, quishing attacks have surged 1,000 percent in the past three years, from .8 percent of phishing attacks in 2021 to 10.8 percent in 2024.
What Is Quishing?
Quishing is a form of phishing that uses QR codes to trick victims into visiting malicious websites. The attacker sends a phishing email or text message with a QR code that links to the malicious site. The site may attempt to steal sensitive information or install malware on the victim’s device.
Cybercriminals are capitalizing on the growing popularity of QR codes, which offer a convenient way to direct users to a website. QR codes make it easier for attackers to conceal malicious URLs from users who are increasingly wary of suspicious links in emails. Quishing emails can also evade security tools that are unable to scan images.
Additionally, quishing enables attackers to bypass the organization’s security controls. A user may receive the malicious QR code via personal email then scan it with a device used for business, potentially infecting the network with malware. Conversely, a quishing attack that comes through business email may be scanned with a personal device that lacks robust defenses.
How Security Awareness Training Can Help
Many users are unaware of the risks posed by QR code phishing. In a recent Hoxhunt Challenge, almost 600,000 users were sent a quishing email to test their ability to detect the threat. Just 36 percent of the recipients successfully identified and reported the simulated attack. More than half (59 percent) failed to identify the attack but did nothing, while 5.5 percent scanned the QR code.
Based on these results, most organizations should assume they would be compromised by a quishing attack. Because these scams target people rather than systems, organizations should implement regular cybersecurity awareness training to combat the threat.
Quishing awareness should be covered in any such program. Users need to understand how to avoid falling victim to a quishing attack:
- Be skeptical of QR codes sent via email or text, especially if the message is unexpected and demands immediate action.
- Inspect QR codes on signs or advertising before scanning. In several attacks, criminals have overlaid the legit QR code with a malicious one.
- After you scan a QR code, carefully inspect the URL to ensure it’s authentic.
- Be cautious about entering personal information or credentials on a site you reach via a QR code.
The Importance of Regular Training and Testing
Although awareness training can improve your overall security posture, it can’t be a one-off event. According to researchers from several German universities, employees forget much of what they’ve learned after just a few months unless training is repeated regularly.
Training programs must also be tested regularly to ensure they are working as intended. Social engineering testing is the most reliable way to discover if your training programs are truly effective. In these tests, authorized ethical hackers simulate a variety of attacks to understand whether users are being vigilant and following established procedures.
Quishing is a gateway attack that opens the door for additional threats such as ransomware, identity theft, data exfiltration and more. The security professionals at Verteks can help you set up ongoing employee awareness programs that can limit your exposure.
