Criminals Targeting Businesses with ‘Quishing’ Scams

It is without a doubt that over the last 2 years, every individual and business has had to adapt to the seemingly never-ending challenges caused by the pandemic.

As the pandemic forced us to remain inside and minimise contact with one another, we saw many technological and digital changes, including the adoption of remote working, increased app usage and retail businesses shifting from brick-and-mortar stores to e-commerce platforms.

However, one of the most interesting technology trends we have seen since early 2020 is the resurgence of QR codes.

When was the first QR code used?

Although most think of QR codes as a recent phenomenon, the square black and white barcodes were actually developed in 1994 by Denso Wave – a division of Toyota – to track automobile parts during the assembly process.

As the smartphone began its world dominance in the mid-to-late noughties, QR codes entered the mainstream as the general population had a way to scan them with their smartphone camera.

However, QR codes seemed to have died their death by 2013.

Or so we thought…

How are and how often are QR codes used now?

As we adjusted to living in a contact-free world to prevent the spread of C-19, QR codes presented the perfect, touch-free solution for many contact or face-to-face actions.

From ordering food, paying bills, and getting more information to checking into venues, QR codes have since been readopted across the board and are once again commonplace in most public spaces.

In a survey by Statista, it was reported that 46.75% of consumers in the UK and US either agreed or strongly agreed that their use of QR codes increased since the beginning of the pandemic.

As with anything rising in popularity, scammers are taking the opportunity to exploit the trend and target unsuspecting businesses and individuals. With the latest scam is unfortunately known as ‘quishing’ – a form of a phishing scam.

What is quishing and how does it differ to phishing?

Traditionally, a phishing email is sent from a scammer pretending to be a trusted contact or authority, for example, a colleague or bank.

The email will typically create a sense of urgency and contain a link, which if clicked on, will direct you to ‘phishing page’.

A ‘phishing page’ will be a copy of a login page, such as that of Microsoft 365, social media platforms or your bank/PayPal account.

If you enter your login details on a phishing page, the scammer will have access to your credentials and accounts and could:

  • Send fake emails/invoices
  • Pretend to be you
  • Withdraw and transfer money
  • Lock you out from your account
  • Steal your identity

As phishing emails increased in popularity, more advanced security measures were developed to identify potential phishing scams and divert them to junk folders to protect users.

With phishing emails containing a link or infected file, antivirus software can analyse links and files and decide whether the email is legitimate.

In a ‘quishing’ scam, the scammer will send an email containing a QR code.

The QR code will link to a phishing page, but as it does not contain a link, it makes it harder for antivirus software to figure out the legitimacy of the email.

An Example

  1. You open Outlook and notice an email has landed in your inbox from Microsoft, informing you that an email is being held in quarantine.
  2. At the bottom is a QR code which says ‘scan here to access your quarantined mail.
  3. You are expecting an important email from a client, therefore, it is possible that this quarantined email could be from them.
  4. You grab your phone and scan the QR code.
  5. After you scan the QR code, you are directed to the Microsoft 365 login page and prompted to enter your Microsoft login credentials to access your quarantined mail.
  6. Once you enter your details, the page reloads, appearing as if it didn’t work
  7. Believing there was a glitch, you enter your login details again and you are now logged into Outlook online, with no sign of a quarantined email.

 

The website loaded in step 5 is the phishing site, with the form set to redirect you to the real Microsoft 365 website once you submit your details, giving the impression of a glitch.

How To Protect Yourself from Quishing Scams

Sometimes it can be incredibly difficult to differentiate between a legitimate email and a phishing/quishing scam, especially if the scammer uses sophisticated techniques and masks their email address.

If you’re unsure whether an email is legitimate, use the acronym SCAM to help you determine whether it is or not.

SCAM stands for:

  • Sender & spelling
  • CTA
  • Ask
  • Make aware

Sender and Spelling

In the ‘From’ field, check the email address that was used to send the email. During this step, make sure to check that the sending domain matches that of the sender. For example, an email from PayPal would come from a PayPal branded email address and not paypalsupport@gmail.com.

Another thing to look out for in the sending domain is spelling mistakes. Some scammers will purchase domain names similar to the company they are trying to imitate, e.g. microsft.com or loydsbank.co.uk – both of which are missing characters.

CTA

Does the email prompt urgent action from you to provide login details/personal information?

Scammers will sometimes use scare tactics such as a fine or late bill to coax you into supplying your information.

Ask

If the email is from a contact you know, ask them if they actually sent it. Make sure to do this via a different communication method, such as face-to-face or a telephone call, as their emails may be compromised.

If they confirm they did send it, then you are safe to go ahead, if not, follow the next step.

Make Aware

If the email isn’t legitimate, inform the sender so that they can secure their account and inform their contacts. You should also make your colleagues and IT department or outsourced tech support aware of the email too.

Staying Safe

We hope you found this blog useful and that you are now more confident in recognising a phishing/quishing scam using our SCAM acronym.

As with most things, prevention is better than cure and educating your team on how to spot and react to a cybersecurity threat is key to staying safe online.

Our security awareness training is incredibly popular amongst SMEs and covers every aspect of cybersecurity to ensure your business is protected.

You can learn more about our security awareness training here.

Back to our blog

Are you a looking for IT Support for your business?

Get in touch via our Contact form or call us on 01225 426 800