Online shoppers warned of QR code phishing scam
With Black Friday on the horizon and peak holiday shopping underway people are expecting deliveries. When shoppers are tracking multiple orders at once they are far more willing to trust a parcel that arrives unexpectedly and a new quishing scam is looking to exploit that.
If scammers have your name and address from previous data breaches, scraped social media posts or public directories, they cab easily make a fake parcel look authentic. Adding a QR code makes people think it’s related to tracking or returns so they’re likely to scan it without thinking.
New techniques help malicious QR codes evade detection
Threat researchers at Barracuda have uncovered two new techniques being used by cyber attackers to help malicious QR codes evade detection in ‘quishing’ attacks.
Quishing is a form of phishing that involves the use of QR codes embedded with malicious links that, when scanned, redirect victims to fake websites designed to steal their credentials or other sensitive information.
Holiday season cybersecurity alert: QR code phishing scams
Thanks to the proliferation of smartphones, QR code usage globally has surged by 57 percent, and by 2025, it is forecast to increase by another 22 percent. And up to eight new QR codes are generated per minute globally.
It is no surprise then why QR codes are everywhere -- on billboards, shopping malls, event brochures, restaurant menus, charity websites, parking spaces, you name it! Of course, the genius of QR codes is their ease of use and convenience. For users, one scan and the job is done, be that registering for an event or purchasing an item.
The phishing threat landscape evolves
Phishing is on the rise. Egress' latest Phishing Threat Trends Report shows a 28 percent surge in attacks in the second quarter of 2024 alone. But what’s behind the increase? There are a few factors in play. Like any other form of threat, phishing is becoming more sophisticated with hackers now having access to a variety of new AI-powered tools to generate email messages, payloads, and even deepfakes.
Further, these technologies and the cyberattacks they can create are now easier to access than ever. Especially as more hackers tap into the professional services on offer from a mature and diverse Crime as a Service (CaaS) ecosystem of providers selling everything from the mechanisms to create attacks to pre-packaged phishing toolkits that promise to evade native defenses and secure email gateways (SEGs).
