Police in Northern Ireland have warned organizations in the province to be on their guard after issuing a new Crime Prevention Notice on “quishing,” or phishing via QR code.
Originally published by the Police Service of Northern Ireland (PSNI) Cyber Crime Centre, the notice urges all local businesses to ensure staff cybersecurity awareness training is updated so employees can spot the threat.
QR phishing, or quishing, has a similar end goal to regular scam emails, which are designed to trick the victim into handing over their credentials/personal information or unwittingly installing malware.
The victim typically receives an unsolicited email, but this time containing a PDF or PNG image of a QR code. The example given in the notice is one branded with Microsoft Authenticator, although other brands may also be spoofed for similar effect.
Read more on QR threats: Record Number of Mobile Phishing Attacks in 2022
This mode of operating helps the phishing email bypass traditional security filters and increases the chances of the recipient trusting the sender, according to the PSNI.
“The requirement to scan a QR code increases the likelihood of a recipient using a personal device outside of an organization’s web or anti-virus protection,” the notice continued. “As with other phishing campaigns, the recipient is taken to a URL which may be hosting malware or a credential harvesting ‘sign-in’ page.”
QR phishing is nothing new: researchers warned of a surge in threats during the pandemic as QR codes began to be used by healthcare providers and the hospitality sector.
One campaign in 2020 featured scam emails and text messages designed to trick users with the promise of a Covid vaccine.
In August this year a major quishing campaign was spotted targeting customers of companies in the energy, manufacturing, insurance, technology and financial services sectors.
Experts warned at the time that users are more likely to fall for QR code scams as they don’t contain the spelling and language errors which are a tell-tale sign of a phishing attack.