-
Barracuda threat intelligence researchers have detected more than half a million phishing emails with quick response (QR) codes embedded in PDF documents.
- QR codes that lead to phishing websites are now being included in PDF documents and attached to emails — versus being included in the emails themselves.
- The attacks are designed to capture login credentials for compromise.
Quishing attacks by the numbers
In most of the attack samples analyzed by Barracuda researchers, scammers impersonate well-known companies. Microsoft, including SharePoint and OneDrive, is impersonated in more than half (51%) of all the attacks, followed by DocuSign (31%), and Adobe (15%). In a small number of the attacks, scammers impersonate the human resources department at the intended victim’s company.
In these attacks, cybercriminals send phishing emails and attach a simple one or two-page PDF document that includes a QR code. No other external links or embedded files are included in the PDF. Recipients are directed to scan the QR code with the camera on their mobile phone, so they can view a file, sign a document, or listen to a voice message. If they do so, they are brought to a phishing website designed to capture their login credentials.
Brands being impersonated
Quishing poses some unique security challenges for businesses. Traditional email filters struggle to detect these attacks because there are no direct links or suspicious attachments to scan. Additionally, quishing often involves multiple devices: employees receive the phishing email on one device but scan the QR code using a different device, such as a personal mobile phone that may lack the same level of security protection as corporate systems. As a result, these attacks can bypass corporate defenses, making them difficult to track or prevent.
Certain industries — such as finance, healthcare, and education — are increasingly being targeted by quishing attacks due to the sensitive data they handle. Small-to-medium businesses (SMBs) are especially vulnerable since they often lack the advanced security tools needed to protect against these sophisticated phishing tactics. The shift in tactics from embedding QR codes in the body of an email to attaching them in PDF documents makes it harder for traditional defenses to identify and block these attacks before they reach employees.
Examples of quishing emails
In this phishing email that impersonates DocuSign, the recipient is directed to scan the QR code in an attached PDF document to review and electronically sign “secured documents”.
Defending your business from attacks
Here are several ways to defend against quishing:
Deploy multilayered email security
Put robust spam and malware filters in place and ensure they are properly configured to block phishing messages effectively. IT teams further need to perform a health check on email gateway settings regularly to ensure optimal performance.
Use AI and other advanced technology
Scammers are adapting their tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against targeted phishing attacks. Supplement your gateways with AI-powered cloud email security technology that doesn’t solely rely on looking for malicious links and attachments.
Educate users
Be sure your security awareness training teaches employees about quishing and the risks of scanning QR codes from unknown or questionable sources. Ensure employees can recognize these attacks, understand their fraudulent nature, and know how to report them.
Enable multifactor authentication (MFA)
Provide an additional layer of security above and beyond username and password and reduce the potential impacts of credential compromise by using MFA to protect access to user accounts.
Related resources
[Report] Top Email Threats & Trends ~ June 2024
https://www.barracudamsp.com/resources/reports/top-email-threats-and-trends-vol1
[Blog post] Quishing: What you need to know about QR code email attacks
https://blog.barracuda.com/2023/10/05/quishing-what-you-need-to-know-about-QR-code-email-attacks
[Blog post] Novel phishing techniques to evade detection: ASCII-based QR codes and ‘Blob’ URIs
https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri
This article was originally published at Barracuda Blog.
Photo: Bernardo Emanuelle / Shutterstock