Riyadh: As the world of cybercrime continues to evolve, phishing remains the reigning champion year after year. In 2022 alone, 84% of organisations were targeted by one or more phishing attacks, a 15% increase over the previous year. As the most common type of cybercrime, phishing emails are crafted to appear as if they are from trusted senders, with over 3.4 billion such emails sent by attackers each day. However, a fresh threat has emerged, propelled by the widespread use of quick response (QR) codes worldwide.

In recent years, industries have prioritised cybersecurity training and awareness initiatives for their workforces. The emerging threat, QR code phishing, or quishing, has started to cast a shadow across various industries globally, including in Saudi Arabia as it rapidly develops its digital infrastructure. Malicious QR codes are ingeniously deployed to ensnare unsuspecting victims, luring them into disclosing sensitive information through a variety of channels, from deceptive emails and text messages to cunningly crafted social media posts.

Quishing: The evolving phishing threat

Quishing has gained prevalence due to its resilience against common anti-phishing measures. Unlike typical phishing attacks, which often involve malicious links embedded in text, quishing employs images that can be decoded to reveal URLs. Detecting malicious URLs from QR codes in emails poses a significant challenge compared to scanning text for malicious links, rendering quishing a preferred method for threat actors conducting cyberattacks.

In this context, Manikandan Thangaraj, vice president at ManageEngine, a division of Zoho Corporation and a leading provider of enterprise IT management solutions, stated: "With the significant expansion in the use of QR codes and digital payment systems in Saudi Arabia, individuals and organizations in the Kingdom are increasingly exposed to sophisticated fraudulent attacks."

"This reality makes it essential to adopt advanced security measures, such as verifying the validity of links and QR codes before interacting with them and implementing security solutions based on an understanding of human behaviour to protect the Kingdom's digital infrastructure and ensure the safety of citizens and organizations from the growing threats in cyberspace," Thangaraj said.

The psychology behind quishing attacks

Thangaraj pointed out that QR code fraud technology has seen increasing popularity among fraudsters due to its ability to evade traditional security systems. Instead of relying on texts containing malicious links, like traditional phishing attacks, this technology uses encrypted QR codes that make it difficult to detect the malicious links within. This makes it hard for antivirus programs to uncover these attacks, thus making it an attractive tool for attackers.

These attacks exploit human psychological vulnerabilities, social nature, and trust in others. Fraudsters employ a variety of deceptive psychological tactics, such as exploiting trust relationships, disguising themselves as authorities, using manipulative language, creating a sense of urgency or fear, and applying social engineering techniques to arouse curiosity or greed. In this way, they manage to deceive victims and convince them to scan malicious QR codes, leading to the leakage of their personal data or the infection of their devices with malware and viruses.

Combating quishing with behavioural science

In the fight against cybercrime, understanding human behaviour is the key. Behavioural science is a crucial asset in the fight against quishing attacks, offering insights into human behaviour and vulnerabilities. By understanding these intricacies, experts can develop targeted training programs to empower individuals to recognise and resist deceptive tactics. Furthermore, behavioural science informs the implementation of tailored security measures, addressing cognitive biases and heuristics to mitigate specific risks posed by quishing campaigns. This approach fosters a culture of critical thinking and resilience within organisations, empowering employees to serve as the frontline defence against cyberthreats.

Behavioural science

Thangaraj explained that behavioural science offers essential strategies to counter the growing threat posed by QR code phishing attacks, highlighting the importance of developing effective training programs based on these strategies to educate employees on the latest phishing techniques. These include the malicious use of QR codes and psychological tricks exploited by cybercriminals to target human emotions.

Thangaraj emphasized that raising employee awareness about cybersecurity risks is vital to protecting organizations from evolving threats, especially amid the rapid digital transformation occurring in the Kingdom. He stressed the importance of all organizations leveraging behavioural science principles to enhance their security, such as applying the authority principle through senior leadership emphasizing the importance of cybersecurity and the social proof principle to foster a culture of security awareness.

Advanced security solutions

 To achieve comprehensive and sustainable protection against fraud attacks via QR codes, Saudi institutions should adopt a holistic defensive approach that combines both technical and behavioural strategies. By implementing quick and integrated response plans to address these attacks, fostering a strong security culture, and enhancing cooperation between various departments within the institution and externally, strong defences can be built to face the evolving challenges in the world of cybersecurity.

As Saudi Arabia continues to rapidly digitise its infrastructure and economy, the threat of quishing attacks becomes particularly relevant. With the widespread adoption of QR codes and digital payment systems, the Kingdom's population and businesses are increasingly vulnerable to these sophisticated phishing tactics. Implementing behavioural-science-driven security measures is crucial to protect Saudi Arabia's digital transformation and safeguard its citizens and enterprises from the evolving cybercrime landscape.

-Ends-

About ManageEngine

ManageEngine is the enterprise IT management division of Zoho Corporation, catering to a wide range of organizations, MSPs and MSSPs. Established and emerging enterprises—including 9 of every 10 Fortune 100 organizations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including in the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China, Australia and the United Kingdom as well as 200+ global partners to help organizations tightly align their business and IT. For more information, please visit the company site, follow the company blog and get connected on LinkedIn, Facebook, Instagram and X (formerly Twitter).