The healthcare sector is no stranger to cyber threats, and one of the most concerning ones is quishing. A recent white paper by the Health Sector Cybersecurity Coordination Center (HC3), October 2023, explores the rising threat of quishing in healthcare cybersecurity.
What is quishing?
Quishing is a cyber threat that exploits Quick Response (QR) codes in phishing attacks. Cyber attackers use email to send malicious QR codes that redirect users to harmful websites or initiate malware downloads. This poses significant risks to healthcare organizations.
Related: What is quishing? The QR code phishing scam explained
The rise of QR codes
The HC3 white paper notes the growing popularity of QR codes for enhancing user experience. However, cyber attackers use QR codes in phishing attacks, known as quishing. Attackers insert malicious QR codes into emails or use seemingly innocent QR codes to persuade recipients to scan them. Victims are often deceived by the false context created in the email, leading them to trust the QR code.
Countermeasures and mitigations
To combat quishing and other cyber threats effectively, the HC3 suggests that healthcare organizations develop a multi-layered defense strategy.
- The first line of defense is email server protection, often the entry point for phishing and quishing emails. Configure the mail server properly to filter out unwanted emails or integrate a spam gateway filter to reduce the influx of phishing emails.
- Provide awareness training for end users. They should be educated to detect phishing emails and approach all email content with some skepticism.
- Multi-factor authentication (MFA) is highly recommended to protect against stolen credentials, a common goal of phishing attacks. MFA adds an additional layer of security by requiring multiple verification forms before granting access, reducing the risk of unauthorized access. The Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, has provided guidance on Implementing Phishing-Resistant MFA.
- In addition to email gateway filtering, deploy and regularly update endpoint security software on every user's system. This software can detect malware as it is being executed on a system. That is particularly effective if a user interacts with a phishing email.
Related: HIPAA Compliant Email: The Definitive Guide
Preventing QR code abuse
The same resources used to prevent user access to known malicious sites and to prevent malware downloads through traditional phishing attempts can be applied to quishing. The FBI recommends several actions to prevent quishing attacks:
- Do not scan a randomly found QR code. Verify the source and legitimacy of the QR code before you scan it.
- Be suspicious if the site asks for a password or login information after scanning a QR code. Legitimate QR codes should not prompt you for sensitive information.
- Do not scan QR codes received in emails or text messages unless you can verify their legitimacy through alternative means. Contact the sender to confirm the source.
- Be cautious of QR codes that appear to be tampered with. Cybercriminals sometimes paste bogus codes over legitimate ones, so you must exercise caution.
The HC3 emphasizes in the white paper that the same level of caution should apply to legitimate ads received in the mail to prevent quishing attacks further.
See also: HIPAA Compliant Email: The Definitive Guide