Healthcare organizations face a growing security threat as cybercriminals leverage QR codes in phishing attacks. This emerging trend, known as "quishing," combines traditional phishing tactics with QR code technology to bypass email security measures and trick healthcare workers into exposing sensitive information or downloading malware.
According to a security survey by researchers at SBA Research, QR (Quick Response) codes were initially invented to track automotive parts during production, but their use has expanded significantly due to their low cost and ease of deployment. The researchers identify two main methods attackers use in "quishing" attacks: they either replace legitimate QR codes entirely with malicious ones, or modify individual modules within existing codes. These malicious codes often direct users to fraudulent websites that masquerade as legitimate sites, attempting to steal sensitive information such as usernames, passwords, or credit card details. The study also states that research has shown curiosity is the main motivation for users to scan unknown QR codes, making them particularly vulnerable to such attacks.
Learn more: What is quishing? The QR code phishing scam explained
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) warns that QR code phishing poses a significant threat to healthcare organizations as an entry point for devastating cyberattacks. These "quishing" attacks often lead to ransomware infections, major healthcare data breaches, and theft of sensitive medical research. The healthcare sector is particularly vulnerable to these attacks due to the lucrative nature of stolen health data. In 2021, phishing was identified as the most common attack method against healthcare organizations, comprising nearly half of all cyber incidents, with successful attacks costing organizations an average of $14.8 million. This represents a quadrupling in attack costs since 2015, showing the growing financial impact of this threat on healthcare providers.
Attackers send emails appearing to be from trusted healthcare sources - insurance providers, medical equipment vendors, or healthcare systems - containing QR codes. These emails often claim to require urgent action, such as:
Criminals also target healthcare facilities by placing malicious QR codes in physical locations, including:
Research from the International Journal of Computer Applications emphasizes several approaches to protect against QR code phishing attacks. Organizations and users should implement a multi-layered defense strategy, starting with verification of QR code sources. The study strongly advises against scanning QR codes out of curiosity, as this behavior has led to significant financial losses—$13 million in the United States alone from QR code-based fraud. For healthcare providers and businesses, regular monitoring of displayed QR codes is required to detect any unauthorized modifications or substitutions of legitimate codes with malicious ones.
The research demonstrates that machine learning-based detection systems can achieve up to 96.47% accuracy in identifying malicious QR codes, suggesting that organizations should consider implementing automated scanning solutions. Software developers are encouraged to incorporate QR code verification APIs into their applications to provide an additional layer of security. While these technological solutions show promise, the researchers emphasize that the most effective defense remains user vigilance and strict policies about scanning QR codes only from trusted, verified sources.
Read more: Machine learning in healthcare
An Application Programming Interface (API) is a set of rules and protocols that allows different software applications to communicate with each other. In the context of QR code security, APIs can be used to automatically verify QR codes against databases of known malicious codes or to check the safety of the websites they link to before users are directed to them.
Machine learning-based detection systems are sophisticated software solutions that use artificial intelligence to identify patterns and characteristics of malicious QR codes. These systems analyze various aspects of QR codes, including their structure, embedded URLs, and behavioral patterns, to determine if they're legitimate or potentially dangerous.
Watch for unexpected QR codes in emails, codes placed over existing ones, or codes in unusual locations. Be particularly suspicious of codes claiming to require urgent action or promising rewards. Any QR code requesting login credentials should be treated with extreme caution.