“Quishing (QR Code Phishing) (is a) rapidly growing attack vector, increasing from 0.8% of phishing attempts in 2022 to 12.4% in 2024,” reports Intersys, a UK company that provides cyber risk management services to the insurance sector. Other cyber experts are sounding the same alarm, plus warning of “brushing,” another scam increasingly linked in quishing. The quishing warning from Intersys comes as part of its call for insurers to improve their cyber security, which appears worse that might be be imagined. “GCHQ (UK’s intelligence, security, and cyber agency) says significant numbers in the insurance sector use out-of-date Windows,” reports Intersys.
How Quishing Works
It’s unclear whether the specific increase in quishing reported by Intersys is global, or just the UK or US. But multiple sources agree such attacks are increasingly dramatically. Just last month New Jersey’s cyber experts issued an alert about quishing.
“Threat actors use legitimate software tools and QR codes that appear genuine or official but may be tampered with, directing targets to phishing websites and fraudulent payment portals to steal sensitive information, account credentials, or funds. These campaigns can also deliver malware, ransomware, or trojans that automatically download, infiltrate devices, and launch further attacks,” summarizes the State of New Jersey’s Cybersecurity and Communications Integration Cell, or NJCCIC. The organization also presented examples of quishing attacks, including the one below sent only a few weeks ago to New Jersey state employees.
The NJCCIC and other experts recommend the following defenses:
* If you get an unsolicited email, make sure the QR code is legit before scanning it. That can include looking for erased or obscured portions in a code, potential signs of tampering;
* Before scanning a QR, check out the “url preview” provided by many devices, including phones. Evaluate the url for suspicious signs such as words that are misspelled or do not match the apparent context of the code; and
* Maintain good overall cyber security, keeping your device’s software updated, using strong passwords and enabling MFA.
Quishing Before “Brushing”
Crooks are now combining quishing with another scam — brushing, warns the US Postal Inspection Service. This is when you receive a delivery with an item you didn’t request and no indication of who ordered it for you. The sender then uses your identity — as a now “verified buyer” of the product — to write a fake review in your name to boost sales of the product. “Cards with QR codes are being sent inside packages as a part of brushing scams. The QR code is sent under the guise that you need to scan the code to find out who sent you the gift or to get more information about the company that sent the gift,” warns the Postal Service. Of course, instead of getting into on who sent the package, you’re subjected to a quishing attempt.
Other News: Ruh Roh! Swiss Re Predicts Dramatic Decline in Cyber Insurance Growth Rates(Opens in a new browser tab)
