There’s been a significant increase in quishing emails recently. I’ve personally received three in the past two weeks. If you’re not familiar with it, the term “quishing” is a portmanteau for QR Phishing, the latest in the phishing variants. In quishing, an email is sent with a QR code in the body.  The email will look like it’s from a legitimate sender such as Microsoft or DocuSign. The message will say to scan the QR code to validate your account, view your document, or any of several other seemingly plausible requests.

Scanning the QR code with a smartphone will do something nefarious. Most commonly it will bring the victim to an authentic-looking sign-in page for that company. Entering credentials will simply forward the credentials to a hacker who will sign in as the victim. If the site requires multifactor authentication (MFA) that MFA request will go back to the victim, who will unwittingly authorize the hacker’s sign-in. The hacker will then have full access to that account. In other cases, it may present a form asking for personal information, or may just download malware to the victim’s phone.

Why does this work?

QR codes have become so commonplace that it’s become almost a reflexive reaction for some. See QR code… scan it… go to website… follow instructions. When setting up MFA, often users are asked to scan a QR code from a web page. Business smartphone apps are often distributed by emailing QR codes to employees. So, receiving a QR code in an email may not seem too far off-base. And since a QR code is simply a picture, conventional anti-phishing products don’t have a malicious attachment or link to scan. This makes it nearly impossible to detect whether the email is malicious.

What you can do

There is some technology you can put in place to prevent some of this, some of the time. I’ll get to that in a moment. But by far the best way to avoid these scams is to consciously avoid these scams. Treat QR codes like you treat links and attachments in emails—don’t scan, don’t click, don’t open if you’re not 100% sure of the source. Get yourself and your employees on a security awareness training program so you’re continually reminded of the latest attacks. And by the way, hackers have been known to put QR codes on stickers and place them over legitimate QR codes on restaurant menus and public posters. Treat those the same.

For tech, see if the web portals you work in have settings to restrict access only to specific IP addresses. Microsoft 365, for instance, allows you to set up conditional access policies for this. You can then set these to only allow users to sign in from your office, VPN or other zero-trust network platform. Single sign on (SSO) is also a good way to make it harder for hackers to access your accounts. Unfortunately, many web apps still don’t support either of these, which is why I strongly recommend the education route.