Threat actors are constantly finding new and innovative ways to compromise systems, and the latest technique is called “quishing”.

Quishing – short for “QR code phishing” – leverages the growing use of QR codes in workplace communication to bypass traditional phishing defences. Sophos recently released research from its X-Ops team highlighting how these attacks are growing in sophistication and frequency, including in South Africa.

What is quishing?

Quishing attacks involve embedding fraudulent QR codes in PDF attachments sent via e-mail. These codes are designed to appear legitimate, often disguised as important business documents related to payroll, employee benefits or other HR-related topics. When scanned by an employee’s mobile device, the QR code redirects them to a phishing site designed to harvest sensitive credentials and bypass multifactor authentication (MFA).

Sophos researchers found that mobile devices are often less protected than corporate systems, making them a prime target for these attacks. Andrew Brandt, principal researcher at Sophos X-Ops, explains: “Our research reveals that quishing attacks are intensifying in both volume and sophistication, particularly in how the fraudulent PDFs and QR code graphics are designed to deceive employees.”

How quishing works

Quishing attacks rely heavily on social engineering to trick users into taking action. By creating a sense of urgency or legitimacy, attackers lure employees into scanning the QR code without questioning its authenticity. Once on the phishing site, employees may unknowingly share sensitive login credentials, giving attackers access to corporate systems.

Some malicious actors now offer quishing-as-a-service platforms, complete with advanced tools like Captcha bypasses, IP address proxies and credential capture features. These services are making it easier for cybercriminals to launch sophisticated phishing campaigns.

Defending against quishing attacks

To combat this rising threat, Sophos X-Ops recommends a multi-layered approach to cybersecurity:

Be wary of internal e-mails on sensitive topics: E-mails referencing salaries, benefits or HR matters are commonly used in quishing attacks. Employees should exercise caution and verify any such communications before scanning QR codes.
Use secure QR code scanners: Sophos Intercept X for Mobile, available on Android, iOS and Chrome OS, includes a secure QR code scanner that alerts users if a URL is malicious.
Monitor sign-in activity and enable conditional access: Identity management tools can detect unusual login attempts, while conditional access ensures only trusted devices and locations can access sensitive systems.
Implement advanced e-mail filtering: Sophos’s QR code phishing protection solution helps detect and block fraudulent QR codes in e-mails and attachments. The solution will expand further in early 2025.
Encourage vigilance among employees: Fostering a culture of cybersecurity awareness is crucial. Employees should report any suspicious activity to the incident response team immediately.
Revoke suspicious user sessions: Organisations must have a plan in place to revoke access from users showing signs of compromise quickly.

Staying ahead of emerging threats

Quishing demonstrates how attackers are adapting their methods to exploit new vulnerabilities. However, businesses can stay ahead by leveraging advanced cybersecurity tools, promoting awareness and partnering with trusted security vendors like Sophos.

About Sophos
Sophos defends organisations from inevitable cyberattacks with innovative, adaptive defences and deep expertise. Continuously innovating to stay ahead of cyberthreats, Sophos integrates endpoint, firewall, MDR and more through the Sophos Central management console, as Sophos X-Ops expansive threat intelligence optimises the entire cybersecurity ecosystem.