Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof red team demonstrate a novel approach to evade static analysis in Linux malware.
Read More
Malicious actors are always coming up with new and innovative ways to steal your money and information. This means it’s all the more important to be aware of these new attacks as they appear and know how to spot and respond to them. In this article I’ll be bringing attention to a new attack that has become increasingly common in recent months. That attack is called ‘Quishing’, and it is a specific new variant of the much broader attack known phishing.
You’ll probably already be familiar with phishing in some form – and have probably been on the receiving end of a phishing attack. If you need a refresher, this ‘what is phishing’, article does a good job of laying down the basics. Phishing takes many forms, including spear phishing, whaling, smshing and vishing. It’s a form of social engineering in which a scammer pretends to be somebody trustworthy such as a friend, subscription service or a bank to convince a person to do something for them, such as:
Quishing is a new form of phishing that uses QR codes, and it’s becoming more popular – you may have even already seen it in the wild. A QR code, or Quick Response code, is a two-dimensional barcode that stores information in a machine-readable format. These can be read and interpreted your smartphone camera and store a variety of information. QR codes are designed to be used for a range of different purposes including:
QR codes look like this:
In the case of QR code phishing, attackers create a malicious QR code that, when scanned by a mobile device or QR code reader, leads the user to the same kind of activities as we see in other types of phishing. This could be a fraudulent website, a fake login page that captures sensitive information, or a URL that delivers malware. As for how the QR code gets to you in the first place, often it’s via an email, pretending to be from a reputable company, or from a friend’s email address. No, your friend probably hasn’t turned into a cyber criminal, but their email might have been hacked. Social media apps and messaging apps like Whatsapp are also attack vectors for quishing.
Quishing has the potential to get through spam filters and antimalware protection that may be scanning emails. If a malicious link is sent in an email, a spam filter or antimalware software would scan and block this, however, if the malicious link is a QR code, it may be seen as ‘just an image’ and therefore would not trigger a spam filter or malware scanner.
Cyber security is a constant game of cat and mouse between good guys and cyber criminals. New technologies present new opportunities and challenges, and the bad guys are often the first to exploit new tech capabilities. While QR codes might slip through some spam filters and anti-malware programs now, the defensive tech will evolve to combat QR-based threats.
In the meantime, I recommend the same defence as any other type of phishing attack: education. Regular security awareness training is a fundamental part of stopping all cyber attacks, but especially for phishing and social engineering attacks.
For security training to be effective, it should always be reviewed, updated and provided regularly to include advice on new threats in the ever-evolving landscape of cyber security.
Tells users how to spot phishing attempts. Often Quishing attempts may still show common red flags of other phishing attacks such as bad spelling/grammar, misspelt/strange sender Email address and a cover story to make you take an action without thinking about it i.e. a time limit before your account is deleted.
This one varies according to your company policies, but I recommend reporting the email to your IT department, not just deleting it. This way tech teams can start to mount a proactive defence.
The rise of quishing attacks highlights how hackers and malicious actors are adapting to people becoming more security conscious and aware of the risks of links in emails. This advice, although correct and important, does not usually stretch to QR codes specifically and may lead a user to scan the QR code without thinking of the security repercussions as it may not have been specifically outlined as a potential risk to them in the past.
In the ever-evolving cyber landscape, where hackers continually devise innovative ways to exploit vulnerabilities, our awareness becomes paramount in safeguarding against emerging threats. We must never forget that there are malicious actors always trying to find new and unexpected ways to exploit and attack. It can never be understated how important awareness and knowledge of emerging threats are for preventing attacks and data breaches. And even things as straightforward as reading this blog can be the difference between falling for quishing and remaining safe online.
Building a multi-layered security strategy can help overcome the impact of a successful quishing attack. And I recommend getting the basics right first. A good example here is Cyber Essentials certification and especially Cyber Essentials Plus. This makes you look at the elemental security components of your organisation and build a strong foundation. Even businesses with a mature security strategy can benefit from Cyber Essentials certification. Who knows, you might even get me as your Cyber Essentials Assessor!
Jason’s experience as a Cyber Essentials Plus Assessor has given him a keen insight into helping businesses make smart, effective improvements to their security posture. He leverages his technology background to make Cyber Essentials certification as painless as possible for his clients.
Keep hackers out of your business with Cyber Essentials. Protect against quishing and keep your data secure. Find the right Cyber Essentials package to suit your needs.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.