HC3 Sheds Light On QR Code-Based Phishing as Threat to Healthcare Cybersecurity
Threat actors have been abusing QR codes to advance phishing attacks in an attack method known as “quishing,” HC3 warned.
Source: Getty Images
By Jill McKeon
- The Health Sector Cybersecurity Coordination Center’s (HC3) latest white paper examined the risks of “quishing,” or QR code-based phishing attacks. The growing popularity of quick response (QR) codes, which were designed to read and transmit data efficiently, has led to an increase in QR code abuse.
The white paper defined a QR code as a “machine-readable image in the form of a matrix that transmits information when scanned by an information system.”
Since legitimate QR codes are often sent via email, it is easy for threat actors to work them into phishing schemes.
Phishing attacks and other social engineering methods remain one of the most effective cyberattack methods against healthcare and other industries. The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) found that phishing was the most frequently reported cybercrime of 2021. IC3 received 323,972 phishing complaints in 2021, compared to 241,342 in 2020.
“Fundamentally, quishing is very similar to phishing in the abuse of links to trick the victim into interacting with them,” HC3 explained. “The ability to track a user into scanning a QR code is often based on false context; an e-mail containing text and graphics falsely creating the impression that it is something the user would be interested in.”
Like standard phishing attacks, quishing can be hard to detect and mitigate. HC3 recommended starting with a defense in depth strategy, beginning with ensuring that the organization’s mail server is configured with spam filters.
“Second, awareness training for end users is imperative. They should be trained to detect a phishing e-mail and interact with all e-mail with a healthy degree of skepticism,” HC3 noted.
References to invoices, requests for personal information, suspicious sender addresses, and improper spelling may indicate phishing. Lastly, HC3 urged organizations to implement multi-factor authentication and robust security software to mitigate risk.
