Recession or not, we have resources to help your business master this moment of high interest rates, labor shortages, sticky inflation, and slower growth. We've put together our Agility & Excellence Resource Center to bring you strategies and solutions with a finger on the pulse of what's ahead.

During the pandemic, QR codes became immensely popular for contactless interactions, such as accessing restaurant menus or signing up for events. The surge in usage, aimed at minimizing the human-machine gap, has persisted over the years. However, this popularity has also attracted cybercriminals, leading to a notable increase in QR code phishing, or "quishing," scams. According to a recent study released by ReliaQuest, a significant 51% spike in such attacks was observed in September 2023 alone, compared to the months prior, highlighting an ongoing trend into the latter half of the year.

Quishing attacks have particularly targeted business leaders, according to another recent study, with C-suite executives being 42 times more likely to be victims than average employees, underscoring the strategic focus of these cyberthreats. In the same study, the construction and engineering industries were cited as the most vulnerable, facing quishing attacks 19 times more often than other industries, emphasizing the broad and varied risk landscape.

What is Quishing?

Cybercriminals craft quishing attacks by creating fraudulent QR codes that mimic legitimate ones, directing victims to malicious sites or to download deceptive apps, and subsequently requesting personal information like credit card numbers or login credentials. These scams often lure victims under the pretense of multifactor authentication or shared document access, prompting them to enter sensitive details on fake websites. The acquired information is then exploited for data theft, further malicious activities or to gain access to interconnected systems.

Identifying the difference between real and fake QR codes presents a challenge, significantly increasing the risk of quishing. These deceptive codes can bypass traditional security by appearing as innocuous images, making them especially dangerous. Quishing strategies, encompassing email, payment, package, donation and investment scams, aim to either pilfer data or distribute malware, underscoring the importance of vigilance and robust cybersecurity measures.

Preventing Quishing Attacks

To bolster defenses against the rising threat of quishing attacks, organizations can adopt several proactive strategies. These measures not only help in identifying and avoiding scams but also in fostering a culture of cybersecurity awareness among employees.

These include:

• Educate Your Team: Conduct regular training sessions to educate employees about the nature of quishing attacks and how they are carried out. Awareness is the first step toward prevention.
• Promote Vigilance: Encourage employees to exercise caution with unsolicited QR codes received via email, text messages or social media, especially if they come from an unrecognized source.
• Verify Authenticity: Before scanning a QR code from known contacts or organizations, verify its legitimacy by reaching out to the source directly through a verified contact method.
• Recognize Phishing: Train employees to spot common signs of phishing, such as urgent requests, emotional appeals or messages with poor grammar and spelling errors.
• Inspect QR Code URLs: Encourage the practice of reviewing the URL linked to a QR code. Many smartphones show the URL before opening it, allowing users to verify if it directs to the expected site.
• Implement Secure QR Code Practices: Develop and disseminate guidelines for the safe creation and distribution of QR codes within your organization, ensuring that they are generated securely and shared through trusted channels.
• Use QR Code Scanning Apps: Encourage the use of QR code scanners that offer added security features, such as checking URLs against known malicious sites.
• Limit Disclosure of Sensitive Information: Reinforce the policy of not providing sensitive personal or company information such as login credentials or financial details — on websites accessed via QR codes.
• Regular Security Audits and Updates: Keep your organization’s cybersecurity measures up to date, including regular security audits and updates to anti-malware and anti-phishing software.
• Encourage Reporting of Suspicious Activities: Create a simple process for employees to report suspicious QR codes or phishing attempts, fostering an environment where security concerns are openly communicated.

By integrating these practices, organizations can significantly reduce their vulnerability to quishing attacks. It’s essential for businesses to stay ahead of cybercriminals by continually updating their cybersecurity strategies and educating their workforce about evolving digital threats.

Next Steps

Implement the right controls to shield your organization from phishing attacks. With strategies like multi-factor authentication, security awareness training, SIEM tools, data encryption and intrusion prevention, you can significantly reduce risks. At CBIZ, our expertise in SOC 2 reporting can guide you through implementing these essential controls. Connect with our team today to fortify your defenses.

Copyright © 2024, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).