How Behavioural Science Can Protect Against QR Phishing Attacks

by Karthick Chandrasekar, Associate Director, ManageEngine

The threat of cybercrime (especially quishing) looms larger each year. In Malaysia, 2,012 incidents were reported in the first four months of 2024 according to CyberSecurity Malaysia. Furthermore, the Ministry of Investment, Trade and Industry (MITI) is expected to announce sweeping changes as a result of the Cyber Security Bill 2024. Passed in April, the bill aims to enhance the nation’s cybersecurity through compliance with specific measures, standards, and processes in managing cybersecurity threats.

One such threat, often known as quishing or QR phishing, involves cybercriminals using QR codes to trick victims into downloading malicious software. Cybercriminals use phishing as a means of obtaining sensitive personal data, including credit card numbers and login credentials. Its widespread popularity can be attributed to phishing’s ability to take advantage of the human element, cybersecurity’s weakest link.

Why Quishing Works

Establishing trust with victims is crucial for a successful phishing attempt. Quishing does the same but bypasses traditional anti-phishing methods. Since personal devices are not usually protected by the same level of cybersecurity policies as company devices, security breaches are tougher to identify or mitigate.

Unfortunately, people are quite susceptible to the psychological manipulation that phishing preys on. Threat actors do this through a variety of strategies, such as:

1. Exploiting authority and trust
   Perpetrators carefully craft fake personas from reputable organisations like banks or law enforcement, where perpetrators attempt to dissuade victims of their legitimacy by playing on their sense of trust. Sophisticated phishers use meticulously mimicked communication styles and logos to further the illusion. Likewise, they use people’s inclination to submit to authority figures without question by taking on the persona of powerful business leaders or public officials.

2. Using manipulative language to instil fear or urgency
   The greatest weapon available to a phisher is manipulative language. Through their warm and sympathetic demeanour, they are adept at creating a false sense of trust in their victims. On the other hand, they can be experts at intimidation, capitalising on people’s fear of authority by using harsh words and threats to force victims to comply. Both strategies frequently work to bypass any initial scepticism the victim may have.

3. Appealing to curiosity or greed
   Attackers have learned to play on a victim’s curiosity or greed by promising financial benefits. Crafted emails may guarantee enticing offers or rewards, prompting recipients to click malicious links, download attachments, or scan QR codes.

The Psychology of Quishing

As phishers are skilled manipulators who know exactly how to override rational thought processes, people frequently fall victim to quishing. These strategies work very well because of the following psychological factors:

1. Cognitive bias and suggestibility
   Because people tend to take threats seriously, they may feel compelled to obey orders from superiors and not think to question dubious emails or communications. This can undermine an organisation’s security efforts, as individuals who tend to be excessively obliging make great targets for phishing scams.

   While it varies from person to person, factors like confirmation bias and overconfidence bias – the tendency to overestimate the accuracy of one’s judgments – can also lower a victim’s guard and increase their susceptibility to such scams.

2. Context, timing, and social proof
   A phishing attack’s effectiveness is dependent on many variables, including time and context. If a victim is stressed, their judgment may be impaired, making them more susceptible. Similarly, cybercriminals exploit social proof by instilling a sense of urgency in their targets by asserting that since others have scanned the code, they should as well.

Quishing As a Constant Threat

Quishing is carried out by inserting malicious QR codes in place of genuine ones or including malicious QR codes in phoney communications. If successful, the information acquired will be used to target others. This cycle combined with persuasive strategies makes quishing a constant threat.

Phishing campaigns are becoming more popular and convincing as AI gets involved. Deepfakes increase the effectiveness of phishing since they are more difficult to spot, making it easier to trick people into scanning a malicious QR code.

Enhancing Security Measures Against Quishing

PWC predicts that “69% of business executives in Malaysia emphasise modernisation of technology with cyber investments” while “83% will deploy GenAI for cyber defence in the next 12 months.”

The combination of behavioural science and GenAI can help organisations defend against quishing attacks. Moreover, organisations can bring in IT security experts to develop training programs that focus on cognitive bias and heuristics.

Employers must also guarantee the security of their workers’ devices by adopting multi-factor authentication (MFA) and leveraging robust software for web filtering to block malicious websites. By teaching employees to be wary of QR codes, employers can further equip their workforce to resist quishing attempts. Finally, organisations that have the tools to carry out threat intelligence can send out emails that provide updates on new cybercrime trends.

Ultimately, organisations face the threat of quishing, but there is no reason why they can’t resist it.