Quishing: How Much Do You Really Trust QR Codes?

You have likely scanned dozens of QR codes over the past few years, possibly even over the past few days. They are used for restaurant menus, event tickets, business cards, and so much more, and they’re an effective method to redirect you to the correct information. Unfortunately, that also means that they’re an effective method for cybercriminals to steal your data or infect your device with malware.

What is QR code phishing?

QR code phishing, or quishing, is a form of phishing where the attacker tricks people into scanning malicious QR codes, which will either lead them to a fake website or will download malware on their device.

The increase of quishing attacks is primarily due to the convenience of QR codes and the weak verification methods available when scanning. Furthermore, it doesn’t require much technical skill to create a QR code, and the distribution can be as simple as sticking posters to a streetlamp.

How does a basic quishing scam work?

Let’s break down a simple QR code phishing attack into five steps:

1. A hacker will create a malicious website or file, followed by a QR code directing people to the website or app. This will usually be based on a legitimate company or service.
2. The fake QR code will be placed in a busy and effective area where it is more likely to be seen.
3. Someone will scan the fake QR code thinking it will open a legitimate restaurant menu, company website, etc.
4. The person will be redirected to the fake website instead where they are prompted to either enter their personal information or download an app.
5. Lastly, and unfortunately, their account or device has been compromised, and they have fallen for the scam.

How can you protect yourself from quishing?

• Be careful when scanning QR codes, especially in public places where it may be harder to verify if the QR code is legitimate.
• Try to confirm the legitimacy of the QR code before scanning and don’t scan random QR codes from street posters.
• Check that the website URL begins with “https” as that means the website is more secure.
• Use a scanning app that has security features that allow you to preview the URL. This can help you determine if the QR code is safe.
• Update the software on your device regularly and use an antivirus solution to check for malware.

What to do if you think you’ve scanned a malicious QR code

If you suspect that you may have scanned a malicious QR code, follow these steps to protect yourself:

• Change your password: Begin with the account that you think may be compromised first. Always use strong and complex passwords.
• Use MFA: Enable multifactor authentication (MFA) on all your accounts if you have not done so already. MFA adds another layer of protection to your account.
• Monitor your accounts: Check for any unauthorized changes or suspicious transactions on your account. If you spot any abnormal activity, notify your bank or credit card provider immediately.
• Scan your device: The QR code could have downloaded malware. Run a scan to detect any malicious programs or files.
• Report the quish: Contact the legitimate company to inform them of the scam. Companies often have dedicated teams to investigate security-related issues which can prevent any further damage.

QR codes are very useful and help simplify our lives but use them cautiously. If you are unsure about the legitimacy, you always have the good old-fashioned method of searching for it manually – as a last resort of course. Be secure!