How “Quishing” Threatens Your Business

Threat actors are constantly finding new and innovative ways to compromise systems, and the latest technique is “quishing.” Quishing – short for QR code phishing – leverages the growing use of QR codes in workplace communication to bypass traditional phishing defenses. Sophos recently released research from its X-Ops team highlighting how these attacks are growing in sophistication and frequency, including in South Africa.

What is Quishing?

Quishing attacks involve embedding fraudulent QR codes in PDF attachments sent via email. These codes are designed to appear legitimate, often disguised as important business documents related to payroll, employee benefits, or other HR-related topics. When scanned by an employee’s mobile device, the QR code redirects them to a phishing site designed to harvest sensitive credentials and bypass multi-factor authentication (MFA).

Sophos researchers found that mobile devices are often less protected than corporate systems, making them a prime target for these attacks. Andrew Brandt, principal researcher at Sophos X-Ops, explains:
“Our research reveals that quishing attacks are intensifying in both volume and sophistication, particularly in how the fraudulent PDFs and QR code graphics are designed to deceive employees.”

How Quishing Works

Quishing attacks rely heavily on social engineering to trick users into taking action. By creating a sense of urgency or legitimacy, attackers lure employees into scanning the QR code without questioning its authenticity. Once on the phishing site, employees may unknowingly share sensitive login credentials, giving attackers access to corporate systems.

Some malicious actors now offer quishing-as-a-service platforms, complete with advanced tools like CAPTCHA bypasses, IP address proxies, and credential capture features. These services are making it easier for cybercriminals to launch sophisticated phishing campaigns.

Defending Against Quishing Attacks

To combat this rising threat, Sophos X-Ops recommends a multi-layered approach to cybersecurity:

1. Be Wary of Internal Emails on Sensitive Topics
   Emails referencing salaries, benefits, or HR matters are commonly used in quishing attacks. Employees should exercise caution and verify any such communications before scanning QR codes.
2. Use Secure QR Code Scanners
   Sophos Intercept X for Mobile, available on Android, iOS, and Chrome OS, includes a secure QR code scanner that alerts users if a URL is malicious.
3. Monitor Sign-In Activity and Enable Conditional Access
   Identity management tools can detect unusual login attempts, while Conditional Access ensures only trusted devices and locations can access sensitive systems.
4. Implement Advanced Email Filtering
   Sophos’ QR code phishing protection solution helps detect and block fraudulent QR codes in emails and attachments. The solution will expand further in early 2025.
5. Encourage Vigilance Among Employees
   Fostering a culture of cybersecurity awareness is crucial. Employees should report any suspicious activity to the incident response team immediately.
6. Revoke Suspicious User Sessions
   Organizations must have a plan in place to revoke access from users showing signs of compromise quickly.

Staying Ahead of Emerging Threats

Quishing demonstrates how attackers are adapting their methods to exploit new vulnerabilities. However, businesses can stay ahead by leveraging advanced cybersecurity tools, promoting awareness, and partnering with trusted security vendors.

• Pieter Nel, Sales Director – SADC , SOPHOS