Table of contents
- What is Quishing
- The Split QR technique
- Nested QR codes
- Why Quishing works
- How to defend yourself
What is Quishing
Quishing (or QRishing) is a form of phishing that exploits QR codes to redirect victims to malicious websites, stealing credentials and sensitive data.
Experts at Barracuda Networks have identified new techniques designed to evade traditional security systems.
The Split QR technique
The Gabagool kit uses a split QR code attack. Hackers divide the QR into two separate images, placed side by side in a phishing email.
To the human eye, it looks like a single QR code, but scanners detect only harmless fragments. Once scanned with a smartphone, it redirects victims to a fake Microsoft site to steal login details.
Nested QR codes
The Tycoon PhaaS kit uses QR nesting. A legitimate QR (e.g., linking to Google) is surrounded by a malicious QR, redirecting to a dangerous URL. This confuses scanners and increases the chances of the attack succeeding.
Why Quishing works
Malicious QR codes are effective because they appear trustworthy and are often scanned via mobile devices, outside corporate security perimeters. This allows cybercriminals to bypass protection and steal data more easily.
How to defend yourself
Basic protection measures include:
- Awareness training for users
- Multi-factor authentication
- Advanced anti-spam filters
- AI-driven, multi-layered email protection
Multimodal AI can inspect QR codes automatically and detect hidden threats before they reach the target.
