The Rising Tide of Phishing & Quishing: A Threat to Every Organization

Phishing’s been around for a while in the cybersecurity sphere. Every year, 83% of all organizations experience phishing attacks, sometimes daily. And over 3.4 billion phishing emails are sent out by attackers in a day, amounting to over a trillion per year.

Phishing is a constant point of contention for organizations, and it refuses to go away. That’s because attackers are always evolving. In recent times, they are taking generative AI’s help to quickly create realistic login pages requiring zero input or coding expertise to set up.

Quishing: The New QR Code Phishing Threat

As phishing has evolved, it has also branched out into various forms targeting different mediums. We’ve seen smishing (SMS phishing), vishing (voice call phishing), and spear phishing (targeted attacks against organizations). Now, a new threat has emerged: quishing.

But before crafting a strategy of cybersecurity against phishing, it’s important to start by understanding what it really is. Phishing is the act of approaching people through different mediums like email, text, call or nowadays even QR codes, and getting them to provide personal data or sensitive information that they hold. In the case of organizations, it’s usually identity access to company data via login credentials.

Quishing is a subset of phishing that has recently gained prominence, mainly because of how ubiquitous and all-encompassing QR codes have become in our lives. Quick response codes are square barcodes that are readable by mobile cameras – a scan can directly lead to a webpage, trigger a phone call, or most pertinently, prompt a digital payment.

Recently, there was a quishing scam where attackers impersonated the Chinese Ministry of Finance and told recipients they were eligible to receive a new government-funded subsidy. To start receiving the payments, they had to scan a QR code and fill out an application form on an unsecured website. You probably know how it went from here. ‘Donate to Ukraine’ QR scams have also been doing the rounds in the last couple of years.

Anyway, back to the origins of QR. The code was developed in Japan during the mid-90s, but only during the lockdown did it suddenly shoot up in prominence. Soon enough, due to its contactless nature, it became the go-to for visiting online menus, filling out applications and facilitating digital payments.

QR codes hold a lot more prominence in India because of its interlinking with another digital phenomenon in UPI. 2023 saw over 139 trillion rupees change hands via the platform, and QR code-led transactions made up an increasing bulk of this. The year of 2022 began with 152 million QR code transactions in January, which almost doubled to 237 million transactions by December of the same year.

More and more Indians are adopting smartphones and digital payments, but that is not being complemented by the required cybersecurity awareness. It shows – 15,000 cases of UPI frauds in 2022, doubled to 30,000 in 2023. Stats like these make India the third most targeted country for phishing attacks.

Why Quishing is Advantageous for Attackers

Here’s what makes quishing via UPI such an advantageous tactic for attackers:

• It’s instantaneous, as money is deposited immediately to the attacker’s accounts.
• It’s omnipresent, a culture almost, in that QR codes are everywhere around us. It becomes really easy for scammers to generate QR codes and send them to people via social media & emails.
• There is a lack of bank interference and oversight, giving the tactic higher rates of success.

Of course, quishing doesn’t just involve UPI payments – they can also lead to fake websites where people enter their credentials, or unsecured links that install malware and initiate authentication bypass attacks. Therefore, it is a fallacy to assume that quishing can have no impact on an organization. Sure, many scams do target individuals, but enterprises are also vulnerable.

Attackers often use quishing to get members of an organization to transfer from their workstations to their mobiles, as QR codes are mostly scanned by smartphones. Smartphones may have weaker anti phishing protections than a company laptop, which makes them an ideal hub to solicit financial info, distribute mobile malware and steal enterprise login credentials. They are effective because the deceptive nature of these scams often leave victims with minimal recourse, as attackers leave behind little to no digital footprint.

So, how do you as an organization safeguard from phishing and quishing-related identity access? There are two ways to go about it: measures you undertake to inculcate best practices amongst all your employees, and measures specifically for your cybersecurity team.

Let’s start with the former, because that could very well be the tipping point: an employee pool unaware of best practices is a liability, but as soon as they gain awareness, they become an asset. They essentially become the frontline of your defense, and educating them effectively is the key to this.

The best security awareness programs engage the user rather than preach to them. Therefore, it is imperative to devise interactive programs that involve elements of gamification like quizzing, contests and leaderboards. Some organizations even prompt employees to think like the attacker, and use the learnings from the exercise to reverse engineer cybersecurity strategies.

Irrespective of how you structure your programs, the end result should be inculcating the following quishing and phishing-related best practices in your audience:

• Never scan a QR code from an unfamiliar source.
• Review the preview of the QR code’s URL to see if it appears legitimate. If it starts with a http instead of a https, stay away.
• If you do receive a QR code from a trusted source, especially one that involves you having to give up personal info or conduct a transaction, confirm with the source via text or voice call as an additional precaution.
• Undertake good password hygiene, which includes changing your email password regularly and never using the same password for more than one account.
• Verify the authenticity of callers claiming to represent banks, companies and government agencies, if their call to action is to prompt you to scan a QR code and fill something out. Cross check their credentials through official channels.
• Never share personal or sensitive information, like bank account details, OTPs, AADHAAR numbers and UPI PINs.
• Avoid scanning QR codes from unfamiliar sources like social media.
• And finally, check for the hallmarks of phishing, like a sense of urgency, calling at irregular times to throw you off and evoking emotions like sympathy or fear.

However, to effectively spread these learnings across the organization, your cybersecurity house must be in order. That starts by incorporating all these phishing-resistant elements into your strategy:

• Allowing & blocklisting known phishers
• Antispam filters
• Strong email security and password policies
• MFAs, preferably phishing-resistant ones that involve physical passkeys or biometrics
• Antimalware protection
• Email security gateways
• Threat intelligence services

The key to making both these approaches work is constant evolution and improvement. Employee education should be conducted at least twice a year, and the same goes for evaluating your phishing-resistant cybersecurity tools. So, if you’re looking to effectively fortify your identity access from the negative impacts associated with phishing and quishing, you can get started by contacting us here.