What is quishing?

Quishing, or QR phishing, is a type of cybersecurity threat in which attackers create QR codes to redirect victims into visiting or downloading malicious content.

Learning Objectives

After reading this article you will be able to:

  • Define quishing
  • Explain how a quishing attack works
  • Understandow to protect oneself from quishing attacks

Copy article link

What is quishing?

Quishing, or QR phishing, is a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.

This type of phishing often bypasses conventional defenses like secure email gateways. Notably, QR codes in emails are perceived by many secure email gateways as meaningless images, making the users vulnerable to specific forms of phishing attacks. QR codes can also be presented to intended victims in a number of other ways.

What are QR codes?

QR codes, or Quick Response codes, are two-dimensional barcodes that can be scanned easily with a camera or a code reader application. The main component of a QR code is data storage. QR codes have the capability to store significant amounts of information including URLs, product details, or contact information. Scanning technology allows smartphone cameras or code readers to easily and quickly access the website to which the URL points.

How does quishing work?

In a quishing attack, the attackers create a QR code and link it to a malicious website. Typically, the attacker will embed the QR code in phishing emails, social media, printed flyers, or physical objects, and use social engineering techniques to entice the victims. For example, victims might receive an email urging them to access an encrypted voice message via a QR code for a chance to win a cash prize.

Upon using their phones to scan the QR code, victims are directed to the malicious site. The site may prompt victims to enter private information, such as login information, financial details, or personal information. In the example above, the site may request the user’s name, email, address, date of birth, or account login information.

Once this sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud, or ransomware.

How can end-users prevent quishing?

Make sure to verify the URL associated with the code, and refrain from submitting personal information, making payments, or downloading anything from a site assessed through a QR code. By adopting these practices, individuals can reduce the risk of falling victim to quishing attacks.

How does Cloudflare help organizations defend against quishing attacks?

Most email security solutions are designed to inspect text, URLs, and attachments. However, QR codes are essentially just images. On their own, the pixels are meaningless, but once decoded, the QR code resolves to a URL. If the email security solution cannot interpret QR codes to uncover malicious URL hidden behind them, users are left unable to determine where the QR code will lead unless they scan and decode it. At that point, the trap is sprung, potentially exposing users to malware or credential harvesting. Cloudflare Cloud Email Security's advanced protection with native image analysis processing, enables the service to identify and resolve QR codes in real time. The resulting URLs are then assessed against our detection models. If necessary, they may be crawled in real time if our detection models are unable to make an immediate assessment. Learn how Cloudflare Cloud Email Security can protect you from quishing attacks.