Skip to content

Hit enter to search or ESC to close

Phishing takes many forms, and cybercriminals will find and use any opportunity to trick a person. The QR code is one of the latest technologies to be exploited for criminal gain. QR Codes are a widespread technology found everywhere, from restaurants to car parks to login pages. The popularity of the QR code is down to its convenience. This popularity is captured in a 2024 report on QR Code trends, which found a 47% increase in QR code usage each year. QR Codes are easy to use, with most Android and iOS smartphones offering in-built QR Code scanners. In the USA, around 80% of users trust QR code technology. It is this trust and convenience that scammers are exploiting.

Why are QR Codes Used for Phishing?

The COVID-19 pandemic promoted using QR codes as an ideal contactless way for customers to access information. The convenience, widespread use, trustworthiness, and popularity of QR codes made QR codes an attractive target for cybercriminals. QR Code phishing or “Quishing” is now an established form of behavior manipulation scammers use. Some recent examples of Quishing include the following:

Examples of QR Code Phishing

QR Code Voicemail Scams: QR code-enabled voicemail scams begin previously compromised legitimate employee account credentials. These login credentials are then used to gain unauthorized access to Microsoft Outlook accounts. The attackers use these legitimate accounts to send emails that purport to contain a voicemail from the account holder. The email states that to hear the voicemail, the recipient must scan a QR code contained in the email. If the employee scans the QR Code, they are taken to a spoof but realistic-looking Microsoft login page. The credentials will be stolen if the employee enters their credentials to listen to the supposed voicemail.

QR Code Banking ScamsSantander and other banks are aware of QR Code scammers that use spoof emails pretending to be from the bank. The emails ask customers to consent to a new data policy or review a security process by scanning a QR code in the email. Examining the code, the email customer is sent to a landing page that looks exactly like the bank’s login page.

QR Code Payment Scams: cashless parking is a part of the modern car park landscape. Often, to pay for parking, a driver will be offered a QR code to scan that will take them through a process to pay for parking. Scammers are exploiting the legitimate QR codes in many car parks, sticking fake QR codes over the top of these legitimate QR codes. When drivers scan the fake QR code, they are directed to a spoofed but legitimate-looking website, where they can enter financial card details to pay for parking. Once those details are entered, they are stolen by the fraudster.

The fact is that the QR Code is an ideal mechanism for fraud. Various tactics are evolving in this exploit, including using embedded image links in emails, which can load a QR code, and QR code images sent as attachments.

Did You Know?

47%

increase in QR code usage each year

80%

US based users that trust QR code technology

90%

cyber attacks begin with phishing

10 minutes

to seamlessly install PhishTitan

How Does Quishing Work?

Malicious QR Codes

The examples shown above, where spoof branded emails were used to carry QR codes, are examples of malicious QR code use. The email brand is cleverly replicated to trick employees into believing they are dealing with a legitimate company. In this type of QR code threat, attackers embed malicious QR codes in phishing emails as content or attachments. When victims scan the code using a personal mobile device, they are directed to a malicious website, where, ultimately, the execution of malware on the device occurs.

Spear Quishing

Targeted Quishing or Spear Quishing is where adversaries send spear-phishing emails with QR codes to targeted employees. The QR codes redirect the employee to spoof Microsoft Office 365 login pages. Unsuspecting users enter their login credentials, which are then stolen. These compromised credentials will then be used to access the corporate network, leading to various attacks, including ransomware infection, Business Email Compromise, and data breaches.
 

Why are QR Code Attacks So Dangerous?

The trustworthiness of QR codes means that individuals are more likely to interact with the code. This leads to employees feeling comfortable enough to use their mobile devices to scan the QR code. Cybercriminals understand that personal mobile devices are less secure and contain sensitive information. The hackers leverage this security flaw.

QR code attacks are also varied, making them more difficult for users to identify. Some companies are even using QR Codes to facilitate fast login. QR codes can take employees to spoof websites that steal credentials or even arrive embedded in malicious attachments that install malware.

What About the Cost of QR code Phishing to a SMB?

Small companies may feel safe from the specter of QR code phishing, but the statistics show they are not. Insurers Hiscox explored the issues of a cyberattack on small UK companies using their live attack system. The research shows that in the UK, small companies are being attacked around 65,000 times per day, many of the attacks in the form of phishing. On average, the basic clear-up costs of a successful attack cost a small UK business around £25,700 ($33,700) per attack. This does not include intangible costs such as damage to reputation and lost customers.

Even at the personal level, QR code scams are costing individuals thousands. A recent spate of car park QR code scams has cost drivers thousands. The scammers replace legitimate QR codes used to pay for parking with malicious QR codes that take drivers to fake websites to steal credit card information.

The popularity of the QR code use is captured in a 2024 report which found a 47% increase in QR code usage each year. It is this trust and convenience that scammers are exploiting.

How to Protect your Business & Users from Quishing Attacks

QR code phishing or Quishing should be integral to security awareness training. Educate employees about Quishing dangers as part of more general phishing training and include QR codes in simulated phishing exercises. Teach employees about the various aspects of QR code technology and its exploitation. Ensure employees understand:

  • To be cautious of any QR codes embedded in emails with poor image quality or blurry.
  • QR code scanners often preview the link, allowing users to see where they’ll be taken before scanning.
  • Practice caution when scanning QR codes from unknown sources, unsolicited emails, or public places.
  • To check the URL after scanning the QR code. If the URL looks suspicious, shortened, or different from what you expected, do not proceed.
  • To swiftly report any Quishing attempt to the line manager, security team, or other company authority. This helps to mitigate incidents.

Hear from our Customers

Simple setup, minimal maintenance

PhishTitan is extremely easy to setup & onboard customers, it typically takes us less than 5 minutes to have a client completely onboarded onto the platform. We've been using the platform for around 6 months now and have had to perform next to no maintenance on it, it just works. Phishing detection is extremely accurate. We have not had any issues to report yet! And based on their responses from queries, their support team would be on it straight away with a fast resolution. Overall: Great product, easy to use & setup, great detection & next to no maintenance required. Would fully recommend the product to greatly reduce your phishing threats and administration time.

Ricky B.

IT Operations Director

Handling Phishing Easily With PhishTitan

What do you like best about PhishTitan? Integration of the software with employees training materials and user based phishing reporting. Multi language support capabilities and campaign customization. Automated attack simulations that boosts awareness and training. Effectiveness of the software in simulated spear phishing assessment. Phish Titan facilities custom built phishing templates and conducts user phishing awareness and vulnerability to actual threats. Availability of alternative social engineering tests and and integration with training materials. Limitless implementation and reliable customer services. What problems is PhishTitan solving and how is that benefiting you? The product has enabled us to timely detect security vulnerability in our systems and ensure our organisation is equipped to handle sophisticated and mutating cyber threats and attacks.

Catania G.

Managing Director

PhishTitan Review - IDT

We are still assessing the product, for now, the reporting spam function appears to be solid.

Raphael

Director, Information Systems

Another GREAT Product from TitanHQ

What can i say besides i LOVE these guys. they are on top of things. we currently are using most of the products and they are so easy to integrate to our MS365. on boarding was easy, this gives the user a way to make the decisions on the emails legitimacy.

John F.

Network Admin

PhishTitan is the Next Best Thing

Comments: We are a current customer of their SpamTitan product and have expanded our buy with the company because the products are sound and a great value. Ease of setup, Ease of deployment, Straightforwardness of features and settings.

Hugh

President

Advanced Quishing Detection

PhishTitan augments Microsoft native security to kill Quishing. PhishTitan goes beyond the boundaries of an SEG to provide Integrated Cloud Email Security (ICES). An ICES is a cloud-based, integrated solution using advanced technologies for anti-phishing detection. These technologies include AI, machine learning, and natural language processing (NLP). Even sophisticated and multi-part phishing threats that use QR codes and out-of-band mobile elements can be detected using PhishTitan's advanced AI-powered technology. Important features that allow PhishTitan to kill QR code phishing include:

Real-time Detection

QR code phishing often deploys dynamic content generation. This clever tactic means a malicious payload can rapidly change to avoid detection. This is known as a zero-minute phishing threat. PhishTitan's advanced AI-enabled anti-phishing detection uses a vast training corpus to identify predictable patterns in QR code evasion.

Behavioral Analysis

Often, unusual behavioral patterns can pinpoint an attack that uses evasive techniques like QR code scams. Advanced anti-phishing solutions, like PhishTitan, provide behavioral analysis that identifies unusual user behavior as they interact with QR codes. ICES solutions use techniques such as NLP to detect suspicious behaviors and patterns and alert administrators of a potential phishing attack.

Time of Click Protection

QR codes often take users to malicious websites, and the URL associated with the QR code steals data or installs malware. PhishTitan automatically checks the website presented by the QR code for malicious activity. These checks are performed in real-time. If the URL points to a phishing site, the employee will be prevented from opening the site.

Education and mobile security are two layers of protection, but the third layer is to detect the QR code phishing threat before it enters the employee inbox. PhishTitan provides advanced phishing detection, including the detection of Quishing attempts. PhishTitan stops an employee from navigating to a malicious website that a QR code may initiate. Based on advanced AI-based algorithms to spot difficult-to-detect and complex phishing attacks, PhishTitan keeps ahead of the Quishing fraudsters.

Talk to TitanHQ's experts to understand how you can stop QR code phishing from costing your company thousands.

Susan Morrow

Susan Morrow

  • PHISHING PROTECTION

Frequently Asked Questions (FAQs)

What is Spear Quishing?

Targeted Quishing or Spear Quishing is where adversaries send spear-phishing emails with QR codes to targeted employees. The QR codes redirect the employee to spoof Microsoft Office 365 login pages. Unsuspecting users enter their login credentials, which are then stolen.

What is an Anti-Phishing Filter?

Phishing messages typically contain indicators of malicious intent, such as links to spoof landing pages; these links have a Uniform Resource Identifier (URI) that points to the landing page used to steal login credentials and other data. An anti-phishing filter detects malicious URIs by comparing them to a database of known phishing URIs. Advanced anti-phishing filters use AI-enabled measures to detect and filter malicious emails, using multiple techniques to look for signals of phishing.

Why do you need QR Code Phishing Protection?

QR codes often take users to malicious websites, and the URL associated with the QR code steals data or installs malware. PhishTitan automatically checks the website presented by the QR code for malicious activity. These checks are performed in real-time. If the URL points to a phishing site, the employee will be prevented from opening the site.  PhishTitan keeps ahead of the Quishing fraudsters.

What is Email Phishing Protection?

Effective email phishing protection involves using an advanced, AI-enabled email filtering solution, predictive analysis to prevent zero-minute attacks, DNS filtering, and other human-centric measures such as employee phishing training and security awareness training. By applying layers of protection, even evolving threats, such as zero-minute and zero-day attacks, can be prevented.

Traditional vs. Advanced Anti-Phishing Filters

Traditional anti-phishing filters scan the source code of email content and landing pages to detect known malicious signatures. However, attackers who have evolved tactics to evade traditional phishing detection have circumvented this static detection method. For example, polymorphic malware and content can generate undetectable dynamic signatures that fool conventional anti-phishing filters. This ability to rapidly change malware signatures has led to the development of advanced anti-phishing.

Talk to our Team today

Talk to our Team today