Phishing attack computer system.

Quishing involves embedding or attaching QR codes into phishing emails, which direct unsuspecting users to malicious websites, according to a report by Egress.

Embedded QR codes in phishing emails accounted for just 0.8% of phishing attacks between 2021 and 2022, the data showed, with the figure skyrocketing to 12.4% in 2023. The mark remained at 12% between January and August of 2024, securing a 1400% increase in quishing since 2021.

“The trend is expected to continue until more organizations implement advanced security defenses that can identify and neutralize quishing attempts, reducing the effectiveness of these attacks and forcing cybercriminals to shift toward other tactics,” Egress said in the report.

Meanwhile, the number of mobile users in the U.S. interacting with QR codes is expected to reach 100 million by 2025, according to Egress.

Egress insights on why cybercriminals use quishing include:

  • Widespread mobile user adoption— the number of unique mobile phone users is estimated to surpass 5.61 billion globally. Between 2022 and 2025, the number of consumers in the U.S. who scan QR codes with their smartphones is predicted to increase by 16 million.
  • Ease of use— creating QR codes is straightforward and low cost, thanks to numerous online generators, mobile apps, and APIs that require little-to-no expertise. This accessibility expands the pool of potential threat actors, including those who may lack advanced technical skills.
  • To evade evolving detection technologies— organizations are shifting away from traditional detection technologies like secure email gateways (SEGs), which rely on blocklists to identify malicious links, toward intelligent cloud-based solutions. Attackers are adapting by employing obfuscation techniques to mask their hyperlinks, including link shorteners, typo-squatting, and quishing.
In 2023, cyber claims stemming from email attacks grew by 24%. Larger companies with annual revenue greater than $100 million saw the highest overall increase in frequency with three times more email claims than companies under $25 million. The three top most-targeted industries for email crime in 2023 and the first half of 2024 were manufacturing, finance and law firms.

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.