By Ronak Jain, Enterprise Security Analyst at ManageEngine discusses the importance of behavioural science in strengthening security against quishing.
In the persistent environment of cybercrime, one technique stands as the reigning champion year after year: phishing, a gateway to data theft. With a multitude of vulnerabilities inherent in human behaviour, phishing aims to exploit these weaknesses with the goal of stealing sensitive personal information such as login credentials and credit card numbers.
In 2022 alone, 84% of organisations were targeted by one or more phishing attacks, which is a 15% increase over the previous year. As the most common type of cybercrime, phishing emails are made to appear as if they are from trusted senders. Over 3.4 billion emails are sent by attackers each day, adding up to more than a trillion phishing attempts via email every year.
In recent years, industries have increasingly prioritised cybersecurity training and awareness initiatives for their workforces. However, a fresh threat looms large on the horizon, propelled by the widespread use of quick response (QR) codes worldwide. This emerging threat, called QR code phishing or quishing, has cast a shadow of concern across various industries globally.
Malicious QR codes are ingeniously deployed to ensnare unsuspecting victims, luring them into disclosing sensitive information. These deceptive codes are delivered to individuals through a variety of channels, ranging from deceptive emails and text messages to cunningly crafted social media posts. Worse yet, even physical locations are not spared from this digital onslaught.
Quishing has gained prevalence due to its resilience against common anti-phishing measures. Unlike typical phishing attacks, which often involve malicious links embedded in text, quishing employs images that can be decoded to reveal URLs. Detecting malicious URLs from QR codes in emails poses a significant challenge compared to scanning text for malicious links, rendering quishing a preferred method for threat actors conducting cyberattacks.
The phishing threat landscape
When it comes to phishing, it’s all about gaining the trust of unsuspecting victims to convince them to divulge sensitive information. According to the Phishing Threat Trends Report 2024 by Egress, “quishing has risen from 0.8% in 2021 to 10.8% in 2024, whereas attachment-based payloads halved from 72.7% to 35.7% in the same timeframe.” This implies that attackers are now using evolved phishing tactics such as deceptive QR codes.
Quishing poses a special problem as it involves a myriad of devices while being incredibly apt at bypassing traditional anti-phishing methods. Employees’ personal devices don’t always follow the cybersecurity policies that companies set and therefore don’t have good protection against phishing scams. This makes it challenging to discover and stop security breaches.
Security measures and principles need to evolve to keep up with new phishing trends such as AI phishing, which essentially attempts to perfect the deception by crafting highly persuasive content.
The psychology behind quishing
As stated earlier, phishing attempts to exploit the trust and naivety of users. Humans are extremely susceptible to psychological influence that cybercriminals bet on. They employ tactics such as:
- Exploiting trust and leveraging the authority principle Perpetrators meticulously craft fake personas, often impersonating reputable organisations, banks, or even trusted individuals and government institutions.
- Using manipulative language and instilling a sense of urgency or fear Manipulative language serves as a potent weapon in criminals’ arsenal and is skillfully employed to sway victims during quishing attempts.
- Crafting social engineering techniques and appealing to curiosity or greed These techniques greatly facilitate personalised attacks. Amidst current phishing trends, millennials have turned out to be the primary targets, receiving 5% of phishing emails. As expected, the most coveted targets are often high-profile individuals, with CEOs bearing the brunt of phishing attacks. An astonishing 13.4% of these malicious campaigns involve impersonating individuals known to the victim.
On the other side of the coin, most people fall victim to quishing scams due to the psychological tactics described above overriding their rational thought processes. These tactics see a tremendous amount of success due to the following psychological factors:
- The degree of cognitive biases and the level of suggestibility
These differ from person to person. Especially in workplaces, cognitive biases like overconfidence bias and confirmation bias increase susceptibility to phishing scams. Overconfidence leads to a lowered guard, while confirmation bias makes individuals more likely to fall for deceptive tactics. - Large-scale phishing attempts are widespread, taking advantage of the suggestible nature of numerous individuals. People usually take threats and urgent matters seriously, which is good for protecting themselves. However, this cautiousness can become a problem for organisations.
- The aspects of context and timing and the impact of social proofResponse behaviour determines susceptibility to quishing attempts, with various factors influencing individual reactions. Scammers can exploit these factors, particularly when circumstances are conducive to manipulation.
Social proof is a psychological phenomenon where people mimic the actions of others in certain situations.
Quishing campaigns
Quishing is a cyclic cybercrime campaign that often starts with QR codes embedded in fraudulent emails or texts, or with legitimate physical QR codes replaced by malicious ones. The scammer poses as a trusted authority figure and creates a false sense of urgency or fear to prompt the victim into compliance.
Once the scam is successful, the cycle may repeat with the acquired information or resources being used to target additional victims.
With the rise of AI, AI-powered phishing campaigns are gradually taking centre stage. Generative AI and deepfakes continue to make news. Popular communication platforms like Zoom and regular phone calls are being used in conjunction with other strategies in quishing scams to increase the probability of success. Such scams include the use of deepfakes to falsify video or audio for greater persuasion. The combination of these tactics is leading to an increase in the complexity of attacks and how cybersecurity defences should be set up.
Voice phishing, or vishing, has also been on the rise due to AI. AI voice calls are much simpler to execute than deepfake images and intricate emails since the victim cannot visually confirm the identity of the person on the other side.
The role of behavioural science
Behavioural science is a crucial asset in the fight against quishing attacks, offering insights into human behaviour and vulnerabilities. By understanding these intricacies, experts can develop targeted training programs to empower individuals to recognise and resist deceptive tactics. Furthermore, behavioural science informs the implementation of tailored security measures, addressing cognitive biases and heuristics to mitigate the specific risks posed by quishing campaigns. This approach fosters a culture of critical thinking and resilience within organisations, empowering employees to serve as the frontline defense against cyberthreats.
