QR codes have become a useful tool in the arsenal of bad actors looking to penetrate barriers to access because they\u2019re easy to incorporate into attacks, difficult to detect and prevent, and good at fooling users into giving up credentials. Fortunately, there are effective steps cyber security pros can take to mitigate this growing attack vector.\n\nA precipitous rise in 2023 in QR code phishing campaigns -- also known as quishing -- is being reported by many industry sources, including Perception Point, Check Point, and AT&T. It is a significant and growing trend, and although technically it\u2019s little more than an embellishment to the standard phishing model, the technique has several features that merit attention.\n\nQuishing works by encoding information, often a malicious link, in the ubiquitous QR code image format. The technical-looking codes often make it easier for employees to fall for the scam and harder for automated systems to detect.\n\nWhy is quishing on the rise?\n\nAs security platforms improve their ability to deal with phishing in general, bad actors are always looking for new ways to bypass defenses. Zero-trust policies and multifactor authentication reduce the effectiveness of phishing campaigns.\n\nFor the attacker, QR codes bring a number of benefits, including some appreciated by legitimate businesses: they are easy to create and easy to use. It is easy for attackers to use free resources to generate convincing QR code enabled phishing emails, attachments, and websites -- a mechanism that can increase the effectiveness of their efforts with minimum effort.\n\nQR codes look official and present a convenient and fast option for users easy, making them exceptional bait, and are also more difficult for automated systems to detect than other phishing techniques. Since a QR code is just an image that encodes information, it can be used to reduce the amount of malicious data in an email, thereby making it a less obvious target for spam filters. \n\nThey\u2019re easy to generate and more effective than URL phishing, says Olesia Klevchuk, director of email protection at Barracuda. \u201cURL scanning and URL rewrite technologies are ineffective against QR code attacks because there is simply no link to scan. Because users have to scan QR codes with their phones, it basically moves these attacks to an entirely new device that is often outside of the company\u2019s security.\u201d\n\nDefending against quishing\n\nFrom the defender\u2019s point of view, the danger of malicious QR codes exists both within the human element (they have an air of legitimacy and are by design very simple) and the machine element (they obfuscate the actual contents of an email or message, making it harder for systems to detect.)\n\nManaging the problem requires several different approaches.\n\nEducation and awareness\n\nAs technology-oriented professionals, we work towards a technology-oriented solution, but education and awareness play their part. We\u2019ve gotten used to harping on the distrust of emails and confirming through a second channel anything significant. Quishing adds an important element: QR codes are not any kind of indication of legitimacy.\n\nThe most obvious step in protection -- education of employees -- is both essential and unreliable. QR codes are frustratingly innocuous and inviting. Security professionals need to get the message out that an email with a QR code is to be treated with the same level of suspicion as any other. It can\u2019t hurt to remind employees not to reuse passwords and especially not between work and personal accounts.\n\nPrevention of QR code phishing\n\nEmployee education must be accompanied by the hardening of technological defenses. It\u2019s critical to ensure that scanning systems are configured to detect QR codes, unpack them as embeds or attachments, and look for malicious content. This is a front-line defense -- QR codes that never make it to the inbox are not a threat.\n\nQR codes can be embedded in a number of ways, mostly inline or attached to other documents such as Word files or PDFs. Attackers have been clever about using the smaller footprint of a QR code to fool scanning and security professionals need to verify with vendors that QR codes are a covered vector in their products.\n\nWhitelisting\/blacklisting of email sender domains is another good practice that can help with phishing in general and quishing in particular.\n\nCross-device and mobile security\n\nQR codes often initiate cross-device interaction in which a user scans a code with their mobile device. In general, mobile devices may offer a less secure platform and the move can switch the user from one work network to another network. Getting users onto mobile devices has become a go-to tactic for attackers in recent years.\n\nQR code attacks put an emphasis on security and policy around cross device interactions. This includes cross-domain security, wherein a user may be using a personal device to scan a company computer or vice versa.\n\nThere are a number of factors to consider that can impact resilience to quishing attacks, including \u201ckeeping tight controls around URL shortening and redirects happening from their domain,\u201d says Mathew Woodyward, principal threat intelligence researcher at Okta. Companies should be \u201cpaying attention to what QR codes they put out into the wild and ask themselves, \u2018How could someone abuse this link?\u2019\u2019 he says.\n\nAI as a threat and a tool\n\nYou can be assured that attackers will use AI to generate convincing quishing emails. This is a case of fighting fire with fire. As Barracuda\u2019s Klevchuk says, \u201cThe use of AI and image recognition technology is useful in detecting these attacks. AI-based detection will also look for other signals that can be a sign of a malicious presence, such as senders, image size, content, and placement in a to determine malicious intent.\u201d\n\nMachine learning detection is important because it is able to form a broader picture of a given artifact and make predictions about whether it's malicious or not beyond what a person might be able to foresee. AI can form a general picture of an event and make determinations based on real-world learning.\n\nRed teaming attack simulations and penetration testing\n\nThere\u2019s no way to know how you are doing without testing. An organization should be running simulated attacks to explore the response of its employees, technology, and security team. Including QR codes in those simulations is an important step. This type of simulation can also help discover how well the organization responds to a breach, especially with regard to compromised account detection and lockout.\n\nWoodward echoes this: \u201cCybersecurity should be deploying tight controls to prevent account takeovers after login,\u201d says Woodward, \u201cmonitoring active credential stuffing attempts and stopping them at the identity-level using breached password detection.\u201d\n\nThe role of multifactor authentication\n\nMultifactor authentication can help mitigate the effects of a successful QR code attack by limiting the damage of compromised credentials. Interestingly, QR code phishing emails are often disguised as multifactor verification emails, a point to keep in mind when alerting employees and also when designing such legitimate verification notices.\n\nThe idea is a simple one. QR codes can be embedded in a variety of ways to encode scannable information, in the case of hackers, usually a phishing URL or a malware download. By automatically triggering the effect, QR codes can reduce the amount of thought a user puts into using them. QR codes offer a low-effort \u201cimprovement\u201d for attackers, a kind of asymmetrical warfare.\n\nAlthough many quishing campaigns have been targeted at consumers so far, we know from experience that it will spread to enterprise and government targets, something we are already seeing.