What is Quishing?
Quishing (QR code phishing) has grown with increased QR code adoption during the pandemic and beyond. Attackers embed malicious URLs in QR codes displayed in phishing emails, fake parking tickets, counterfeit payment terminals, fake cryptocurrency wallets, conference materials, flyers, or overlay stickers on legitimate QR codes.
The attack exploits that most people scan codes without examining the destination URL, QR scanners often bypass traditional security controls, mobile devices may have weaker security than computers, and the manual effort of typing URLs makes QR codes appealing. Victims scanning malicious codes may reach credential phishing pages, malware downloads, cryptocurrency scam sites, or payment fraud platforms. The QR code’s opacity makes detection difficult until scanned.
Business Impact
Quishing enables attackers to bypass email security filters since malicious URLs embedded in QR codes aren’t easily analyzed by automated systems. Organizations face brand impersonation through fake QR codes attached to their brand, customer victimization when fake codes replace legitimate ones, and difficulty educating users about QR code risks. The physical nature of some quishing attacks (stickers over legitimate codes) creates challenges beyond digital monitoring. As QR code usage expands for payments, authentication, and access control, attack surface grows.
Allure Security's Approach
Monitoring for phishing sites used in quishing campaigns, detecting fake websites that display QR codes in phishing emails, and educating stakeholders about quishing risks forms part of comprehensive phishing protection. Analyzing destination URLs from QR codes in phishing content enables threat detection.