In the ever-evolving landscape of Cybersecurity, a new threat has emerged: QR code Phishing emails. And we finally have a name for this style of attack, now also known as “quishing.” These attacks are particularly concerning because they are able to evade most Anti-spam and anti-phishing filters, posing a significant risk to users.
Quishing attacks exploit the fact that cybersecurity defenses are less likely to detect QR codes than traditional links or attachments. Cybercriminals mimic messages from legitimate companies and embed QR codes in their phishing emails. Users are redirected to phishing websites that mimic authentic login pages when they scan the QR code.
The effectiveness of Quishing lies in its ability to bypass traditional email protections. Because the malicious content is embedded in a QR code rather than a clickable link, it can often slip past security filters unnoticed. Furthermore, because QR codes are typically asSOCiated with legitimate marketing practices, users may be less suspicious of them.
One of the major reasons that quishing is so effective is due to past conditioning of using QR codes for security purposes, such as setting up multi-factor authentication. In many of these quishing emails, we have seen that they are embedded in look-alike emails from Microsoft 365, further enhancing their perceived legitimacy.
Given the rise of quishing attacks, it’s crucial to exercise caution when dealing with QR codes received via email. Do not scan QR codes from unsolicited emails. If you receive such an email, report it immediately for review. Microsoft will never send you a QR code by email.
At Delaney Computer Services, Inc., we understand the anatomy of these threats and have developed advanced cybersecurity tools to mitigate their impact. While these tools can’t stop quishing attacks outright, they can significantly reduce their ability to perform account takeovers.
Our senior cybersecurity engineers have analyzed these threats in detail and have been proactively warning our clients not to open any QR code emails. We also emphasize the importance of using the report phishing tool in Outlook, Outlook Mobile, and Outlook web app when they receive a quishing email.
If you’re using Microsoft 365 for email and you receive a quishing email, it’s important to report it immediately. This not only helps protect your own account but also contributes to improving Microsoft’s spam filters. Here’s how you can do it:
Remember, every report is a step towards making our digital world safer.
DCS is committed to keeping your digital environment secure. If you have any concerns or need further assistance, don’t hesitate to reach out to us at our offices in Mahwah, New Jersey; New York City; or Coral Springs, Florida.
Stay safe and stay vigilant!
Rich Delaney, CTO/CSO
Delaney Computer Services, Inc.