Scanning for Trouble: The Hidden Dangers of QR Code ’Quishing’ Attacks 

Author: Tyler L. Jones, MSIT, CEH, PJMR, CCTHP, ASV | Clearwater Sr. Cybersecurity Analyst, Incident Response & Threat Intelligence 

The QR Code Revolution Promise 

In the last ten years, the digital world has seen a seismic transformation in how we share and tap into data. Remember when QR (Quick Response) codes were those quirky squares predominantly seen in warehouses for tracking boxes? Fast forward to today, and they’re plastered just about everywhere, from restaurant menus to concert tickets. This isn’t some random tech fad. The omnipresence of these scannable squares is the result of a perfect storm of circumstances: 

  • The Touchless Age: If there’s one silver lining the COVID pandemic has etched onto our tech canvas, it’s the birth of a contactless society. QR codes stood out, evolving from novelty to necessity, becoming our go-to for everything from grabbing digital menus to flashing boarding passes. 
  • A New Efficiency: Condensing a wealth of data into a tiny, scannable square, what’s not to love? Simplifying and accelerating everything from healthcare education, prescription details, quick references, and marketing, these quirky squares have proliferated.  

QR codes are growing and are now an even more integral part of our connected existence. With this growth, nefarious threat actors also quickly adopted threat tactics utilizing QR codes. From phishing, these new codes now opened opportunities for ‘quishing’ attacks.  

In the world of digital health, the once-trusted QR code has taken on a role akin to a modern-day Trojan horse. Picture a patient seeking health information or services, scanning what appears to be a legitimate code at a clinic or on a medical brochure. Yet, unbeknownst to them, this seemingly benign square has been swapped out with a more sinister counterpart. It leads them not to genuine health resources but to an eerily accurate imitation of a medical website. The cloned logos and familiar healthcare terminology mask a threat to the patient’s privacy. As patients dutifully input sensitive health data, malicious code on the website begins intercepting every byte of information. Alarmingly, these healthcare-focused scams surged in prevalence, witnessing a staggering sevenfold increase in the tempestuous span of 2022. The intertwining of the digital realm and medical world demands heightened vigilance, as even our everyday tools become potential vectors of deception.

Behind the Pixels: QR Codes’ Shadowy Underbelly 

When it comes to QR codes, the devil, as they say, is often in the details—or, in this case, the pixelated details. 

  • QR Code Alteration: Think altering a QR code is an arduous task? Think again. With rudimentary knowledge and tools, these seemingly complex patterns can be manipulated. A quick Google search returned a myriad of pages detailing how to modify or generate malicious QR codes that can point to domains spreading malware or fake sites aimed at obtaining patient login details or credential harvesting.   
  • The Sting of Malware: Here’s where things take a darker, deeply technical twist. Embedded within these codes, attackers can initiate a drive-by download, exploiting vulnerabilities in your device’s software.  Advanced persistent threats (APTs) could lie dormant, only to execute commands remotely, potentially taking over device functionalities, exfiltrating sensitive data packet by packet, or turning your device into just one more endpoint within a botnet.  

When Scans Go Rogue 

QR codes promise immediacy and new ways to engage within healthcare. This seemingly harmless code creates a perfect storm, making us lower our guards and bypass the usual safety checks we might employ with, say, a suspicious email. 

When it comes to the QR code battlefield, more cyber education is needed so patients, providers, and innovators are aware of when and how these codes can be abused. End-user security awareness is paramount in combatting all forms of phishing, and QR code phishing, or quishing, is no different. 

QR Code Safety Practices 

QR codes have become the latest pawn in the hands of adversaries. Here is some advice when encountering a QR code to share within your organization: 

  • Context is King: A QR code slapped on a wall or presented without context should raise alarm bells. It’s the digital equivalent of a stranger handing you an unmarked USB drive—enticing, perhaps, but fraught with potential peril. If you’re unsure, navigate to the promotional material another way. Most marketing campaigns do not solely rely on QR codes, and search engines such as Google or Bing will often be able to find the same page the QR code directs to if you search for the event or website you think the QR code is related to. 
  • Watch and Verify: The first line of defense is an age-old principle—vigilance. If it’s from an unknown or suspect source, think twice before giving it a scan. Watch your phone screen—with special attention given to your notification area—after scanning a QR code. You’re looking for any notifications indicating a file download was successful or a new app might have been installed. If the code just opens a website, review the URL within your browser, and keep an eye out for any signs that the site may not be real. Be highly suspect of scans that go to pages that prompt for a login or ask for sensitive information, it’s best to navigate outside of the scan directly to your desired site for safekeeping. 
  • Look for Trustworthy Tools: Not all QR code scanning apps are created equally. Arm yourself with reputable apps that come equipped with built-in security mechanisms. These apps don’t just read the code; they add a layer of scrutiny, ensuring the underlying link isn’t leading you into a trap. 
  • Just say NO to QR Codes in Emails: Treat QR codes with the same caution you’d give to an unexpected email attachment from an unknown source. Malicious QR codes in emails can bypass most security vendors because the content and intent are not immediately detectable. The US Health and Human Services published a whitepaper on QR code Quishing as a Threat to the Health Sector sharing more details. 

QR codes’ unparalleled convenience and unnerving vulnerability show how swiftly they can be exploited. Let’s advocate for awareness, vigilance, and preventive measures that balance without stifling healthcare technology innovation and new ways to engage. QR codes in the right setting and with security education are still a viable way to enhance patient care.  

Interested in learning more about the latest healthcare cyber risks? Subscribe to Clearwater’s monthly Cyber Briefing.  


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us