Quishing – The Rising Threat of QR Code Phishing in Cybersecurity

Quishing is an emerging cyber threat that leverages QR codes embedded in phishing emails to redirect unsuspecting victims to malicious websites. This sophisticated tactic exploits the growing popularity of QR codes, turning them into a gateway for cybercriminals to access sensitive organizational data and systems.

A recent report by security firm Egress has shed light on the increasing prevalence of quishing in phishing attacks. Cybercriminals have recognized QR codes as an effective and deceptive tool to breach company infrastructures.

Much like traditional phishing scams, quishing preys on an employee’s trust by disguising malicious QR codes as links to legitimate webpages. However, once scanned, these codes lead victims to harmful sites, granting attackers potential access to critical systems and data.

Whilst the increasing use of QR codes has driven cybercriminals to this new tactic, it has also been the successful countering of malicious hyperlinks with intelligent cloud-based solutions that have meant that they have had to find new ways of finding holes in company defences. As we know, cybercriminals tend to be at least one step ahead of the sectors’ attempts to keep them out, and QR codes offer a real opportunity for bad players to go around new, effective defences.

Increase and nature of quishing attacks

Egress identified that from 1st January – 31st August 2024, 12 percent of all phishing attacks contained a QR code. This is likely to increase substantially in 2025 due to an expected surge in QR code usage this year so companies have to become more aware of what such threats look like and how their employees can better manage the incoming phishing attacks.

The report highlights what a typical attack looks like:

Step 1 The victim receives a phishing attack containing a QR code, often accompanied by social engineering techniques designed to compel them to read it. Cybercriminals typically emphasise elements such as urgency, authority, or emotional appeals within the email to increase the likelihood that the recipient will engage with the malicious payload

Step 2 The victim uses their smartphone camera to read the QR code, which prompts them to open their browser and directs them to a malicious website.

Step 3 Depending on the nature of the website, the victim could be asked to enter log-in credentials or financial details, or malware may be downloaded onto their device. If the attacker successfully gains access to a user’s credentials, they can use these to launch further attacks within an organisation or move laterally across networks

As businesses catch up with the approaches cybercriminal use, quishing attempts are evolving as Rob Batters, Director or Managed and Technical Services, Northdoor explains:

“Essentially, quishing works the same as a ‘normal’ phishing attack; however, by utilising a trusted source such as a QR code, cybercriminals are increasing their chances of success. Quishing, as a tactic, is relatively new, but as companies and solutions begin to catch up cybercriminals are already adapting their approaches. Some are putting the malicious QR code on a coloured background to try and make it harder for software to identify the code’s anchors and highlight it as malicious.

“Others are embedding the code within emails as attachments. Once the attachment is open it can be opened as any other QR code but it can trick some software into allowing it through. The most sophisticated approaches involves embedding QR codes within macro-enabled Excel files. When opened these files execute macros that assemble a malicious URL from separate cells and generate a QR code from it. As most solutions struggle to analyse a fragmented URL components it increases the chances of the code getting through. The positive for employees is that such efforts to get past the software means that the code itself looks more suspicious and easier to identify as a cyberattack.

“The key for countering quishing attacks is the same as phishing attacks. If employees can identify what a malicious email looks like then they are unlikely to click any link, open an attachment or use a QR code. Keeping employees up to date with the latest threats and how to deal with them means that cybercriminals have to find new routes to gain access to data and systems.

“The efforts of cybercriminals to find a soft underbelly of a company’s security will continue and likely become more sophisticated and complex. This means that the job of internal IT and security teams becomes more onerous and time-consuming. At a time when manpower and budgets are stretched, this becomes, on the face of it, an almost impossible task.

“Many are turning to third-party consultancies to help shoulder some of the pressure. These consultancies can also provide the expertise that in-house struggle with. By keeping an eye on systems as well as informing teams about the latest threats, consultancies are, in many cases, in a better position to keep cybercriminals out,” Batters concluded.