Technology Blog »

QR Code Phishing Email Attacks on the Rise and Causing Real Problems

Image depicting a rise in QR code phishing emails Quishing

In the ever-evolving landscape of Cybersecurity, a new threat has emerged: QR code Phishing emails. And we finally have a name for this style of attack, now also known as “quishing.” These attacks are particularly concerning because they are able to evade most Anti-spam and anti-phishing filters, posing a significant risk to users.

How Quishing Works

Quishing attacks exploit the fact that cybersecurity defenses are less likely to detect QR codes than traditional links or attachments. Cybercriminals mimic messages from legitimate companies and embed QR codes in their phishing emails. Users are redirected to phishing websites that mimic authentic login pages when they scan the QR code.

Why Quishing is Effective

The effectiveness of Quishing lies in its ability to bypass traditional email protections. Because the malicious content is embedded in a QR code rather than a clickable link, it can often slip past security filters unnoticed. Furthermore, because QR codes are typically asSOCiated with legitimate marketing practices, users may be less suspicious of them.

One of the major reasons that quishing is so effective is due to past conditioning of using QR codes for security purposes, such as setting up multi-factor authentication. In many of these quishing emails, we have seen that they are embedded in look-alike emails from Microsoft 365, further enhancing their perceived legitimacy.

How do Quishing emails evade anti-spam filters?:

  • Use of QR Codes: Traditional anti-spam filters are designed to detect malicious links or attachments in the body of the email. However, when the malicious content is embedded in a QR code, it can often slip past these security filters unnoticed.
  • Abuse of Legitimate Services: Cybercriminals often abuse legitimate services to carry out their attacks. This makes it harder for anti-spam filters to distinguish between legitimate and malicious content.
  • Base64 Encoding: Some quishing attacks use base64 encoding for the phishing link, which helps evade detection.
  • Change in Attack Techniques: As users become more aware of traditional email-based attack techniques, such as malicious links or attachments, threat actors are forced to switch to more unconventional methods like QR codes.
  • Obfuscation of Origin: Cybercriminals often obfuscate their location of origin to avoid detection.

A Word of Caution

Given the rise of quishing attacks, it’s crucial to exercise caution when dealing with QR codes received via email. Do not scan QR codes from unsolicited emails. If you receive such an email, report it immediately for review. Microsoft will never send you a QR code by email.

Mitigating the Threat with DCS

At Delaney Computer Services, Inc., we understand the anatomy of these threats and have developed advanced cybersecurity tools to mitigate their impact. While these tools can’t stop quishing attacks outright, they can significantly reduce their ability to perform account takeovers.

Our senior cybersecurity engineers have analyzed these threats in detail and have been proactively warning our clients not to open any QR code emails. We also emphasize the importance of using the report phishing tool in Outlook, Outlook Mobile, and Outlook web app when they receive a quishing email.

Reporting Quishing Emails in Microsoft 365

If you’re using Microsoft 365 for email and you receive a quishing email, it’s important to report it immediately. This not only helps protect your own account but also contributes to improving Microsoft’s spam filters. Here’s how you can do it:

  1. In Outlook, select the suspicious email.
  2. On the Home tab, in the Delete group, select Junk > Phishing.
  3. In the dialog box that opens, select Report.

Remember, every report is a step towards making our digital world safer.

DCS is committed to keeping your digital environment secure. If you have any concerns or need further assistance, don’t hesitate to reach out to us at our offices in Mahwah, New Jersey; New York City; or Coral Springs, Florida.

Stay safe and stay vigilant!

Rich Delaney, CTO/CSO
Delaney Computer Services, Inc.