For all the money spent by government agencies and contractors on cybersecurity, the human element remains a vexing and dangerous variable. Even reliable employees can behave unpredictably online, especially when conducting business and personal pursuits on the same device.
Enter “quishing,” a combination of “QR code” and “phishing” that the FBI says represents a growing cybersecurity menace. The threat is as simple as it is ingenious. Whereas most of us are well-attuned to the risks of clicking questionable website links, the innocuous-looking and increasingly common QR code doesn’t seem to carry the same baggage. That’s exactly why cyber thieves, and potentially foreign intelligence services, are seeking to exploit it.
The process involves directing an end user to a fraudulent website through a QR code – for example, sending an email with a QR code under the guise of a service request like this:
“Dear employee, your retirement account statement for the year 2023 is now available for review. Please use your smartphone camera to scan the code below for direct access to your earnings statements, account statements, and balance.”
Because the design of QR codes makes it impossible for the user to know where the code will direct them after scanning, the individual is taking an enormous leap of faith that the website is legitimate. If it turns out to be fraudulent, the user may not know that until he or she has already entered personal data like their username and password, both of which are commonly recycled across a multitude of computer systems and websites.
The resultant likelihood of identity theft would be bad enough; but clearance holders who engage in risky cyber practices also run the risk of security clearance problems if compromised login credentials result in the breach of an employer’s IT system. Even unclassified federal agency and government contractor IT systems can offer a trove of valuable information for hostile actors. Clearance holders should be alert to this risk and the extent to which they may be a target.
While it is unlikely that a single, inadvertent slip-up will result in denial or revocation of clearance, a scenario like this could cause enormous problems if it is part of a larger, documented pattern of security negligence. I defended plenty of federal employees and contractors during my career who had the misfortune of one-too-many IT security incidents. Some of these folks lived to fight another day; others lost their careers over it.
To avoid that same fate, here are a few tips from the FBI on protecting yourself from this latest cyber threat:
- Once you scan a QR code, check the URL to ensure it is the intended site and looks authentic.
- Practice caution when entering login, personal, or financial information on a site navigated to from a QR code.
- If you scan a physical QR code, ensure the code has not been tampered with, such with a sticker placed on top of the original code.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
- Do not download a QR code scanner app (author’s note: especially not on an employer-owned smartphone). This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- Do not download an app from a QR code; use the phone’s app store for safer downloads.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.
