Cybersecurity is a never-ending game of cat and mouse. Every time we make progress, cybercriminals evolve their tactics, looking for new ways to bypass our defenses. For many dealerships, deploying endpoint detection and response (EDR) tools feels like a solid step in the right direction—and it is—but it’s only one piece of the puzzle. Without a comprehensive information security program, your dealership might still be vulnerable. One of the latest tricks up cybercriminals’ sleeves? A tactic called quishing.

 What is Quishing?

You’ve probably seen QR codes everywhere—from menus to ads and even in email footers. They’re a convenient way to bridge the digital and physical worlds, letting you scan with your phone and quickly access information. Unfortunately, cybercriminals have taken advantage of this convenience and turned it into a weapon. Quishing, a play on the word phishing, involves tricking users into scanning a QR code that leads to a malicious website, usually designed to steal login credentials or other sensitive data.

 How Are These Attacks Evolving?

In the past, you might have seen QR codes embedded directly into phishing emails, but now attackers are getting sneakier. Recent research by Barracuda found that in just a three-month period, over half a million phishing emails with QR codes were analyzed. But instead of embedding the QR codes directly in the email, attackers are now slipping them into attached PDF documents.

These PDFs usually impersonate well-known brands—Microsoft, DocuSign, and Adobe are some of the favorites. The email itself often has a sense of urgency, pushing the recipient to scan the QR code to access a file or sign a document. Once the user scans the code with their phone, they’re taken to a phishing site designed to steal their login credentials.

 Why is Quishing So Dangerous?

Quishing presents a unique challenge because it targets more than just your computer system. These attacks often involve two devices: the phishing email is received on a computer, but the QR code is scanned using a mobile phone, which may lack the same security protections as your dealership’s devices.

To make matters worse, traditional email filters and security tools struggle to detect quishing attacks. There are no suspicious links or attachments for them to flag. This evolving strategy makes it incredibly difficult for dealerships to track and block quishing before it reaches employees’ inboxes.

 What Can Dealerships Do to Protect Themselves?

The key to defending against quishing—and other evolving cyber threats—is a multi-layered approach to security. Here’s what you can do:

1. Deploy Multilayered Email Security:
It’s not enough to rely on a single security measure. Dealerships should put robust spam and malware filters in place, and ensure they’re properly configured. IT teams should regularly check their email gateway settings to ensure they’re performing optimally.
2. Leverage AI and Advanced Technology:
Cybercriminals are constantly finding new ways to bypass traditional defenses, which is why it’s important to use AI-powered cloud email security solutions. These don’t just look for suspicious links or attachments but can identify and block more targeted phishing attacks, like quishing.
3. Educate Your Team:
Security awareness training is a crucial line of defense. Ensure your employees understand the risks of scanning QR codes from unknown sources and can recognize quishing attacks when they see them. Employees should also know how to report these attempts to your IT team.
4. Enable Multifactor Authentication (MFA):
Even if attackers manage to steal login credentials, MFA adds an extra layer of protection, making it harder for cybercriminals to gain access to your systems.  But MFA only helps if it is implemented and correctly configured.  Just having MFA isn’t enough – which is the case with many dealerships.

A Comprehensive Information Security Program Is Essential

At the end of the day, deploying a tool like EDR is important, but it’s not enough. Cybercriminals are evolving their tactics at a rapid pace, and a static security approach can’t keep up. A comprehensive information security program is essential to staying ahead in this never-ending battle. By being proactive and staying vigilant, you can better protect your dealership from these emerging threats, including quishing.