Quishing is a cyber threat that exploits QR codes and phishing in deceptive emails, posing risks like data breaches and malware infections. The HC3 recommends that healthcare organizations use a multi-layered defense strategy involving email server protection, user training, multi-factor authentication, security software, and QR code vigilance, safeguarding systems and data against quishing.
Understanding the quishing threat
Quishing is the abuse of QR codes in phishing attacks. Cyber attackers lure victims into scanning malicious QR codes through deceptive emails, leading to data breaches, malware infections, and other cyber threats. These attacks mirror traditional phishing schemes in many ways and are cunningly designed to trick recipients.
Related: What is quishing? The QR code phishing scam explained
The risks of quishing
Phishing attacks can lead to data breaches and system compromise. Healthcare organizations are especially vulnerable due to the value of healthcare information on the black market. According to these published 2024 cybersecurity trends and data, "Over 75% of targeted cyberattacks start with an email in 2024, making phishing a primary vector for cybercrime."
Building a multi-layered defense strategy
Healthcare organizations must develop a multi-layered defense strategy with various components to combat quishing:
Email server protection: involves configuring your mail server to filter out unwanted emails, reducing the influx of quishing attempts. Advanced email filtering systems use algorithms and threat intelligence to identify and block phishing emails before they reach a user's inbox. These systems can analyze email content, attachments, and sender behavior to detect threats. Regularly update these filters to ensure they stay effective against evolving quishing tactics.
End-user awareness training: Train users within your healthcare organization to detect phishing attempts and approach all email content skeptically. Common themes in deceptive emails include:
- references to invoices,
- requests for personal information,
- and mentions of suspicious activity.
Training programs can be tailored to address specific "quishing" tactics and examples to make users more vigilant. Regular workshops and simulated phishing exercises can help users recognize and report suspicious emails.
Multi-factor authentication (MFA): Multi-factor authentication (MFA) helps prevent stolen credentials, often the initial goal of a quishing attack. Healthcare organizations and others looking to protect their systems must implement MFA. MFA requires users to provide at least two verification forms, such as a password and a one-time code sent to their mobile device, before gaining access. Even if an attacker obtains login credentials through quishing, they would still be unable to access an account without the additional verification method. The Cybersecurity and Infrastructure Security Agency(CISA), in their Implementing Phishing-Resistant MFA encourages organizations to implement phishing-resistant MFA as part of their long- and intermediate-term plans towards applying Zero Trust principles. They recommend that “organizations identify systems that do not support MFA and develop a plan to either upgrade so these systems support MFA or migrate to new systems that support MFA.”.
Related: Enhancing HIPAA compliance with multi-factor authentication
Security software: Advanced endpoint security solutions use real-time threat intelligence and behavioral analysis to identify and block suspicious activities on endpoints. They can detect and stop malware, including ransomware before it can execute and cause harm. Regular updates to security software incorporate the latest threat information and patches to known vulnerabilities.
QR code usage: The FBI recommends not scanning randomly found QR codes and being suspicious if prompted to enter passwords or login information. Be cautious when QR codes appear tampered with. Cybercriminals sometimes paste bogus QR codes over legitimate ones, and users should be encouraged to inspect QR codes for any signs of tampering.
FAQs
Are quishing attacks only limited to email scams?
No, quishing can also occur through physical QR codes placed in public spaces, aiming to trick users into scanning them and unknowingly accessing malicious sites.
What are some signs of a potentially malicious QR code?
A QR code that prompts unusual requests, like entering login credentials or personal information, or appears pasted over another code, could be a red flag.
How can healthcare organizations test the effectiveness of their quishing defenses?
Regularly conducting simulated phishing exercises that incorporate QR code-based scenarios can help organizations evaluate and improve their defenses against quishing attacks.