ChannelLife Australia - Industry insider news for technology resellers
Australia
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Malware
#
Digital Transformation
#
Digital Literacy

Quishing attacks rise as QR codes pose new cybersecurity risks

Today
Author image
By Catherine Knowles, Journalist

QR codes are increasingly being exploited as a cybersecurity threat, with a rise in malicious tactics known as Quishing targeting individuals and organisations.

Once considered a symbol of digital convenience, QR codes are now ubiquitous in locations such as restaurants, logistics centres, and advertising materials. However, experts warn that these pixelated patterns are also being used to facilitate phishing attacks and distribute malware.

Quishing, or QR code phishing, involves embedding a malicious link in a QR code, leading unsuspecting users to fraudulent websites or prompting malware downloads. Unlike traditional email-based phishing, which relies on deceptive subject lines or dubious sender addresses and is often screened by users, Quishing bypasses these conventional red flags. When users scan a QR code with their mobile device, the expectation is that they will access a trusted site, but often they are redirected to counterfeit websites that can steal sensitive data such as login credentials or banking details, or even install spyware.

The Australian Cyber Security Centre (ACSC) has issued warnings highlighting an upsurge in Quishing attacks, noting that scammers have used counterfeit QR codes to impersonate trusted Australian services such as Australia Post, major banks, and MyGov. According to the ACSC, these tactics are becoming increasingly commonplace.

QR codes were originally designed for industrial use in the 1990s, but their widespread adoption was accelerated during the COVID-19 pandemic. Their use has expanded across hospitality, events, retail and more, making them an everyday fixture and, in turn, expanding the potential attack surface for cybercriminals.

Data from a 2024 report by Keepnet Labs indicates that globally, 2% of scanned QR codes were linked to malicious domains, and there has been a 51% increase in Quishing attacks year-over-year. Many victims are only alerted to breaches after experiencing data loss, identity theft, or financial fraud.

One of the challenges is that QR codes are predominantly scanned using mobile phones, devices which may lack robust tools for previewing web links. This limited visibility, combined with the urgency that often accompanies QR code interactions - such as accessing a menu, registering for entry, or unlocking Wi-Fi - results in users frequently bypassing caution when scanning codes.

The effectiveness of Quishing stems from its exploitation of trust and speed. Consumers have grown accustomed to scanning QR codes reflexively in everyday situations, such as at cafés or shops. Cybercriminals are able to take advantage by producing convincing stickers with malicious QR codes and placing them over legitimate ones in public locations including car parks, public transport stations and various retail environments.

The business impact of these attacks extends beyond individual losses. Organisations integrating QR codes into customer-facing operations face risks to brand reputation and customer trust if a compromised QR code redirects users to phishing sites masquerading as the business itself.

Melbourne-based cybersecurity firm Borderless CS has observed a growing concern regarding unsecured QR codes in both public and enterprise settings. One of the firm's Cybersecurity Consultants commented, "People think of QR codes as passive. But they are live links, gateways into your digital environment. If you don't control where they lead, someone else will."

Borderless CS recommends that businesses regularly audit all public-facing QR codes and employ secure, trackable links hosted on branded domains as protective measures.

For organisations, suggested strategies to prevent Quishing include using secure, custom short links hosted on branded domains, implementing monitoring tools to track QR code scans and detect anomalies, educating staff about threats, adding digital signatures or watermarks to QR code designs to deter tampering, and redirecting QR codes through verified landing pages to reassure users of their safety.

Consumers are advised to avoid scanning random QR codes found in public places or from unsolicited emails, always check the destination domain after scanning, use QR scanners with preview functions, and refrain from entering personal information on unfamiliar or unexpectedly loaded websites.

Experts argue that as QR code use continues to shape interactions with products, services and people, the associated cybersecurity risks will become increasingly complex. They stress the importance of approaching QR codes with the same caution and scrutiny as email and websites, and integrating them as a key part of digital perimeter defence for both organisations and consumers.

Borderless CS stresses the importance of vigilance: "Every QR code is a doorway. If you don't lock it, someone else will walk right through."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Block Earner wins Federal Court appeal against ASIC in key crypto ruling
Expel expands MDR platform to boost email threat detection
iWorkplace Elements launched in Australia to aid 365 compliance
SnapLogic & Glean partner to streamline enterprise AI data use
Hisense launches AI-powered ULED TVs up to 100 inches
Top stories
Hotwire launches AI-powered Spark tool & global AI Lab
OPSWAT partners with Sektor Cyber to boost ANZ presence
Veeam unveils secure AI access to backups with Anthropic MCP
Veeam unveils cloud solution to protect Microsoft Entra ID
CrowdStrike launches Falcon Privileged Access to block threats