<![CDATA[The development of technology in Internet banking services facilitates customers’ financial transactions. However, this can also create opportunities for cybercrime threats, including a quishing attack. A quishing attack is a type of phishing attack that uses a QR Code to redirect victims to a fake website to steal sensitive information. This research formulates an attack tree model for quishing attacks by combining OSINT, social engineering, and QR Code exploitation, structured using data flow diagrams and evaluated with time-based metrics. The attack was simulated as a Proof of Concept (PoC) to realistically depict the stages of exploitation. Results from the experiments show that the fastest attack path using the OSINT tool Truecaller, the social engineering tool SEToolkit, and the QR Code tool Qrencode takes 248.31 seconds. This path is considered more efficient, outperforming the second fastest combination, which uses the OSINT tool Find Mobile Number Location by 25.15 seconds, with a total time of 273.46 seconds. Truecaller’s advantage lies in its ability to obtain data quickly without requiring a geographic location process like the Find Mobile Number Location tool. This approach shows that banking institutions can integrate time-based metric attack trees to assess vulnerability response times, simulate realistic threat scenarios, and develop more effective incident response strategies to prevent unauthorized access during quishing attacks.]]>
Copyrights © 2026
