By Karthick Chandrasekar, ManageEngine associate director

Recently, the Department of Information and Communications Technology (DICT) announced that the Philippine Health Insurance Corporation (PhilHealth) and the Department of Science and Technology (DOST) suffered cyberattacks, which are suspected to be ransomware attacks. Faced with an increasing number of sophisticated cyberattacks, government agencies in the Philippines are racing to strengthen the security measures protecting core systems and data.

QR phishing, known popularly as quishing, is a method of redirecting victims to malicious sites or downloading malware onto their devices using quick-response (QR) codes. Phishing reigns as the preferred approach for cybercriminals to gain access to sensitive personal information such as credit card numbers and login credentials. The reason it’s such a popular method of attack is that it exploits the weakest link of cybersecurity: the human factor.

Quishing mind games

Phishing relies on building trust with victims to convince them to volunteer sensitive information. Quishing does the same, but bypasses traditional anti-phishing methods. Since personal devices are not usually protected by the same level of cybersecurity policies as company devices, security breaches caused by quishing are tougher to identify or mitigate.

Threat actors use manipulative tactics to increase the success of their quishing campaigns, including:

Leveraging authority and exploiting trust

Quishing is powered by fake personas from reputable organizations like banks or law enforcement. Advanced attackers feed into the deception via carefully replicated logos and communication styles. Leveraging the trust that exists around a brand or entity, perpetrators try to lower a victim’s guard and convince them of their legitimacy. Similarly, they prey on people’s tendency to comply with authority figures unquestioningly, often by posing as senior executives or government personnel.

Instilling fear or urgency via manipulative language

Manipulative language is a phisher’s most potent weapon. They are skilled at convincing victims that their communications are trustworthy, often by being friendly and caring to establish a false sense of trust. Alternatively, they can be masters at intimidation, tapping into the fear of authority via aggressive language and threats to force victims to comply with their demands, like scanning a QR code. Both approaches are often successful at bypassing any initial skepticism a victim may have.

Appealing to curiosity or greed

Where fear or friendliness may prove ineffective, attackers have learned to appeal to a person’s curiosity or greed by offering tantalizing financial rewards. This can involve an enticing offer—such as free software downloads or access to exclusive content—in exchange for personal information.

Psychology behind quishing

Phishers are master manipulators and people fall victim to quishing scams because attackers know exactly how to override rational thought processes. These tactics are highly successful due to certain psychological factors:

Suggestibility and cognitive bias

People are trained to take threats seriously. However, this means they typically feel obliged to follow instructions from authority figures and, therefore, may not question emails or messages that appear to come from legitimate entities. This can undermine an organization’s security efforts, as individuals who tend to be excessively obliging make great targets for phishing scams.

While it varies from person to person, overconfidence bias, or the tendency to overestimate the accuracy of one’s judgments, can also lower a person’s guard and increase their susceptibility to such scams. The Philippine National Police (PNP) Anti-Cybercrime Group recently reported that nine suspects were nabbed for alleged involvement in voice phishing scams where they pretended to be bank employees. An estimated ₱40 million was siphoned from the victims’ bank accounts.

Content, timing, and social proof

The effectiveness of a phishing attack depends on certain factors, such as context and timing. If a person is stressed, their judgment may be impaired, making them more susceptible. Similarly, attackers exploit social proof, the psychological concept that people are influenced in their decision-making by others, compelling them to act within societal norms or expectations. Attackers can create a sense of urgency in their victims by claiming that others have scanned the code, and they should too.

A cyclic campaign

Quishing often begins with QR codes embedded into fake emails or legitimate QR codes being replaced with malicious ones. If successful, the information acquired can be used to target others. This cycle, aided by persuasion tactics, makes quishing a persistent threat.
With AI in the mix, phishing campaigns are gaining more traction. Deepfakes make phishing efforts more sophisticated, and as people tend to trust what they see, it’s easier to convince them to scan a malicious QR code.

Ramping up your defenses against quishing

A key element in defending against quishing is employing insights from behavioral science. Information technology (IT) security experts can be brought in to deliver targeted training programs that focus on cognitive bias and heuristics.

Organizations must also ensure employees’ devices are protected. This includes using multi-factor authentication (MFA) and leveraging robust software for web filtering to block malicious websites. Businesses can further empower their employees to defend against quishing by instilling caution around QR codes. For example, organizations that have the tools to carry out threat intelligence can send out emails that provide updates on new cybercrime trends.

Ultimately, quishing may be yet another threat facing organizations, but there is no reason it can’t be stopped.