QR codes have become part of everyday life. Cybercriminals take advantage of this to spread fraudulent links, redirect users to fake websites, or install malicious applications.
Thanks to the simulations I set up, your employees will learn how to analyze a QR code before scanning it.
What is quishing?
Quishing is an attack that uses a fake QR code to redirect the user to a fraudulent website, retrieve their login credentials, or trigger a risky action on their device.
The goal: to take advantage of the "I scan without thinking" reflex to bypass the usual security blocks (email filters, anti-phishing protections).
These attacks frequently target:
- employees on business trips,
- users scanning posters, tickets, or printed materials,
- teams using professional applications via QR code,
- reception areas or places open to the public.
Why simulate quishing?
- To raise awareness of the risks associated with a technology perceived as "harmless."
- To learn how to verify the legitimacy of a medium before scanning.
- To limit the risks associated with fraudulent connections, fake portals, and malicious redirects.
- To empower users regarding mobile usage.
How do I work?
-
1. I create realistic QR codes
I generate QR codes that lead to fake pages imitating internal, logistical, or administrative services.
-
2. I distribute these QR codes in various media.
Emails, internal posters, fake tickets, mobile campaigns... depending on your actual usage.
-
3. I analyze the reactions
Scans, page opening, information entry: I assess vigilance with regard to this format.
-
4. I explain the warning signs immediately.
I show what should have raised alarm bells: location, context, URL, unusual request...
-
5. I provide summary feedback.
With a clear view of the teams most vulnerable to this type of attack.
Essential best practices
- Check the origin of the media before scanning.
- Be wary of QR codes in public places, but also in professional settings.
- Always analyze the URL before proceeding.
- Never enter credentials after an unexpected scan.
- Report any suspicious QR codes to your internal support team.
