Squish the Quish – Stop and Think Before You Access a QR Code

What are quishing attacks and why are they growing in popularity?

Back in May, I attended Cyburgh, an annual conference held by the Pittsburgh Technology Council to bring together cybersecurity professionals and enthusiasts across the Greater Pittsburgh region to discuss challenges and opportunities within the cybersecurity industry.

I was enraptured by one of the keynote speakers, Summer Craze Fowler, then-Senior VP of Cybersecurity and IT at Motional. As she moved through her slide deck, she really worked to engage the audience with humor and pop culture references to liven up the cybersecurity discussion she was leading us through. She moved to one slide with a QR code, and I was surprised when she said something like, “Don’t worry. This QR code is safe, I promise.”

QR codes aren’t safe? I thought to myself as I picked up my iPhone to scan the QR code to access the link.

Once COVID-19 restrictions eased in 2021, QR codes were everywhere you went – restaurants, bars, retail stores, the office. They became second nature to me, and I’m assuming to many others too. Even my grandmother knows how to scan a QR code via her iPhone. When something becomes expected as a convenience and established as a norm, it’s natural to let your guard down and assume it’s inherently safe.

But QR codes should make us all pause.

What’s so bad about QR codes?

Quishing is defined as a phishing attack initiated via a QR code. And make no mistake about it, quishing is on the rise. According to research conducted by Check Point, there was a significant increase of 587% in quishing attacks between August and September 2023. QR codes can direct you to a website, add a contact, download an attachment, initiate an email, or another action, which could or could not be malicious. Malicious information or links can easily be encoded in the standard QR code image format. This makes it harder to detect if it’s malicious or not because it will appear as a “normal looking” QR code you’re exposed to every day.

What can I do to protect myself and my company?

Awareness is key. Knowing that you should be wary of QR codes – at home, work or in public – is the first step. Take the precautionary measure to verify the domain associated with a QR code before you scan it.

Also, if you’re using a mobile device to scan a QR code, remember that there are often fewer security measures than on your network-connected corporate devices. Some devices automatically go the URL when you hover over the code, and even if your device prompts you to accept the redirect, the link could be malicious. Be sure to double check the that the URL is valid just as you would on a web browser and avoid scanning any codes you find in the wild.

For example, if you are eating at a restaurant with QR code menus, be sure to verify the URL is legitimate before clicking through. Remember, it takes seconds for a threat actor to cover up a genuine QR code with a malicious one.

Always alert your IT team if you receive a suspicious email with a QR code. When in doubt, don’t scan!

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Six-Figure Ransomware Attack Hits Washington County, PA
Romance Scams: Guarding Your Heart and Wallet
A First of Its Kind: The $25 Million Deepfake Scam
Fortifying Retail Security: Essential Cybersecurity Tools and Software
Defend Your Dollars and Data: How to Avoid IRS Impersonation Scams
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.