CTW #4 — February 2024 - National Cybersecurity Society

NCSS-3397-Bulletin-Header-Footer-Header Graphic 1600x350-Compressed

Published: February 16, 2024

Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.

Featured Cyber Threat —Quishing (QR Code Phishing)

In the dynamic landscape of cyber threats, organizations grapple with persistent challenges posed by unwanted emails and the growing threat of phishing attacks. As cybercriminals innovate tactics, one notable trend has surfaced: quishing. This is a form of phishing through QR codes by replacing the traditional way of using malicious uniform resource locators (URLs) with QR codes in email communications.

How Quishing Works

In phishing attacks, cybercriminals aim to steal login credentials or valuable information by setting up fraudulent websites that mimic secure platforms. Quishing extends this strategy by replacing such traditional hyperlinks with QR codes, challenging security systems’ ability to analyze QR code contents effectively.

Without suspecting, email recipients may unintentionally scan QR codes embedded within the email body—this poses challenges for traditional email security systems, relying on recipients to understand the threat and avoid falling victim as they potentially lack the capability to extract and inspect URLs from QR codes.

Concept of using smartphones to scan QR codes to make payment. Customer making payment through mobile phone and scan code for online shopping. Use of technology in the daily life of modern people.

Protection Strategies

To mitigate the potential risk posed by quishing, it is recommended that organizations take the following approach:

Employee Training:
- Educate employees about the new form of phishing attacks using QR codes
- Foster a vigilant workforce capable of recognizing malicious emails
- Establish a reporting process to notify IT personnel for prompt risk mitigation
Technological Measures:
- Use email security systems to scan for known malicious URLs
- Extend this capability to URLs encoded within QR codes
- Monitor the Internet websites for fraudulent websites and take them offline by employing services such as Digital Risk Protection (DRP)

Caution: QR Code Scanning on Mobile Devices

When using mobile devices such as a cellphone or tablet to scan QR codes, exercise caution by adopting the following practices:

Use the QR Code Scanner App:
- Consider using reputable QR code scanner apps that come with security features. Some apps offer built-in URL scanning, allowing users to preview the destination URL or content before opening.
Check the Domain:
- Hover your device’s camera over a QR code without scanning—your device may display the destination URL. Verify that the domain is legitimate and matches the official website of the entity it claims to be associated with.
Inspect the Design:
- Beware of unsolicited QR codes by checking over noticeable design flaws or inconsistent branding. Legitimate codes often have a consistent design that aligns with the provided context.
Verify Through Official Channels:
- Check official websites to verify the authenticity of QR codes. If the QR code is associated with a product or event, visit the official support channels to confirm the legitimacy of the code.
Be Skeptical:
- Avoid scanning codes from unknown or suspicious sources. Stay informed about new phishing tactics and refrain from scanning if in doubt. Vigilance is key in protecting against malicious content associated with QR codes.

In conclusion, the rise of quishing necessitates organizations to update their cybersecurity strategies. A holistic approach, encompassing employee training with the robust reporting process and technological proactive measures, can effectively reduce the risks associated with this emerging threat.

The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving threats. We recommend you leverage a managed security service provider (MSSP). We have partners who can help, here. For more information, visit our Small Business page.

References

https://www.cybersecurityintelligence.com/blog/understanding-the-threat-of-qr-codes-and-quishing-7247.html

https://www.phishlabs.com/blog/cybercriminal-focus-in-the-new-year-top-2024-threat-trends

https://cofense.com/blog/top-10-qr-code-phishing-questions/

https://cybersecurity74.com/how-to-avoid-qr-code-scams/

https://www.qr-code-generator.com/blog/free-barcode-scanner-app/

https://www.digitaltrends.com/mobile/best-qr-code-scanning-apps/

NCSS-3397-Bulletin-Header-Footer-Attribution Banner 1600x200

About the NCSS

The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.

The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.