Quishing (QR Phishing): What It Is and How to Stay Safe
QR codes are everywhere these days! Whether looking up a restaurant menu or scanning a code to play a game with friends, it’s not uncommon to pull out your smartphone and scan a QR code.
Unfortunately, this useful tool has been exploited by cybercriminals. Just like phishing attempts try to get you to click on malicious links so that cyber attackers can steal your personal information, a new type of scam called “quishing” tries to get you to open dangerous QR codes.
Protecting yourself from quishing requires knowledge and care. Let’s make sure you’re safe from this newer type of cyber attack!
How are legitimate QR codes used?
First, let’s take a look at situations in which QR codes are used correctly. Legitimate businesses use QR codes for a variety of purposes, most of which are perfectly safe.
- Product packaging: QR codes may be printed on product packaging to provide more information about the item. This may include details on ingredients, nutritional info, manuals, and building instructions.
- Advertising and marketing: You may find a QR code that takes you to a special deal, downloadable coupon, online stores, etc. These may be scanned from billboards, print ads, business cards, flyers, signs, etc.
- Special events and conferences: Event tickets, name badges, brochures, and signage often have scannable QR codes to give you access to schedules, presenter bios, presentations, maps of the venue, and more.
- Restaurants and bars: What started as a Covid-era precaution in the restaurant industry has stuck around. Many restaurants and bars use QR codes instead of paper menus. Sometimes you can also use a QR code to pay your bill, access nutrition information, and look at specials.
- Education: QR codes often show up in textbooks, class handouts, digital presentations, and classroom games. Students use them to access material for learning, studying, researching, taking quizzes, and more.
- Real estate: Want to take a closer look at a property? Yard signs, online property listings, and print ads can include a QR code so that you have access to the full listing with more photos, floor plans, and other details.
- Travel: QR codes can allow you to access travel itineraries, boarding passes, destination information, maps, etc. You’ll find these codes on luggage tags, boarding passes, confirmation emails, apps, etc.
- Retail stores: Retailers will put QR codes on products, in fitting rooms, and on receipts so that you can learn more, see your options, access reward programs, and even pay online.
How do cybercriminals use QR codes for quishing scams?
With so many legitimate uses of QR codes, it makes sense why scammers would realize the opportunity they have to get people to scan malicious, dangerous codes.
When a cyber attacker creates a quishing attack, they create a fake QR code that leads to a phishing site. A famous example is the use of QR codes on parking meters. After all, many municipalities use QR codes so that people can pay their parking fees online, rather than with change or a credit card at the meter. Scammers take advantage of this by placing a sticker on a parking meter with a fraudulent QR code on it.
When you scan the code, you are greeted by a website that says it is the parking company or the city. If you trust what you’re looking at, you simply input your information, including your name, email address, contact information, and credit card information.
Unfortunately, you haven’t just paid an illegitimate parking company, but you have also handed over your credit card information to a cyber-criminal. Plus, you’re not actually parked legally, which means you may receive a ticket or have your car towed for non-payment. How frustrating!
These fake QR codes often look legitimate, especially if they are mimicking the websites of real companies. It can be difficult for even the most savvy smartphone users to spot some of these phishing sites!
Common quishing goals
In addition to tricking you to input payment information into a fake website, quishing scammers will also try to do the following:
- Access your login credentials for sites that store your personal information
- Access your financial information
- Get you to pay them money
- Install malware
- Enroll you in a fraudulent subscription service
- Get you to fill out a survey with lots of personal information
- Gather personal information about you so they can impersonate you by answering your security questions
- Access sensitive company data from devices and accounts that you use for work
What about quishing via email?
Although it’s normal to encounter QR codes that are printed or shared in public spaces, you could also receive an email that includes a QR code. The email will tell you to “simply grab your smartphone and scan this QR code for more information!” These are often fraudulent.
Most email providers identify scams by recognizing signs of questionable URLs and attachments. However, QR codes can be embedded as plain images, which helps scammers bypass those security measures.
Often, the email will come from a phishing account that looks like a familiar sender, but it is really from the scammer. Your curiosity may prompt you to open the QR code using your phone. Alternatively, the email may apply pressure by warning that your account will be locked if you don’t take action right away.
Regardless, there are very few reasons why a legitimate sender would need to have you open an email and then scan an included QR code with your smart device.
How to protect yourself from quishing scams
As you can tell, quishing scams can cause a lot of damage! Like other forms of hacking, falling victim to quishing can lead to significant financial losses, issues proving your identity, damage to your credit, and both professional and personal ramifications.
Take these steps to protect yourself from these scams:
- If scanning a QR code leads you to a place to input information or log into an account, think twice before taking those steps.
- Be skeptical of any QR code offering a special deal or exclusive discount.
- When there is an alternative to using a QR code, use that.
- Always double-check the URL for any webpage you open from a QR code.
- If you scan a QR code and realize it has taken you to a completely unfamiliar website, exit immediately.
- Verify the source of the QR code.
- In general, avoid using QR codes from strangers.
- If you are using a third-party app (instead of your phone’s camera or Google Lens), be sure to verify the authenticity of the app.
- Enable two-factor authentication on your accounts and devices to protect you from scammers who may access your password via a QR code.
What to do if you fell for a quishing scam
If you find that you have fallen for a quishing scam, don’t panic. It is important to take some intentional steps to protect your finances, identity, and data. Panicking doesn’t help!
Your first step will be to change any passwords and security PINs that you entered after scanning the code. Scammers won’t waste any time; they will immediately try to access your accounts using the credentials you provided. If you haven’t already enabled two-factor authentication, do that right away for as many sites and apps as possible.
They will also use the same email, username, and password credentials to try to access accounts that you are likely to have: major banks, credit card companies, and online retailers. This is why it’s always a good idea to use different passwords for your accounts – it makes it harder for hackers to use your credentials to access multiple sites.
Your next step is to contact your bank if you entered any financial information. You may also choose to shut down any credit or debit accounts that you used to pay for something at the QR website. Report any possible signs of fraudulent activity on your accounts.
Finally, scan your device immediately (and again later) for any signs of malware, spyware, and viruses. Malicious sites you accessed via QR code could have downloaded something to your phone without your knowledge. Run a deep virus scan using security software and remove anything suspicious.
Additionally, you can sign up for credit monitoring if the scammers managed to harvest a lot of personal information, such as your social security number, full name, birth date, and credit card information.
Should you report the quishing scam to someone?
If the quishing scam pretended to be a legitimate business, whether that is a bank, a retailer, or even a parking company, contact that entity and let them know. They track the scam reports they receive and will use the information to warn others.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Financial Fraud Detection is the Key to Safety
Fraud and scams are everywhere, and it’s essential to remain alert. Scammers and criminals are exploiting new…
[Read More]CDK Global Ransomware Attack Crashed Auto Dealerships
It turns out that CDK Global, a primary provider of services to the dealerships, suffered a cybercrime:...
[Read More]Prevent Fraud in Business with the Fraud Triangle
Can you guess the reason the majority of businesses fail? If you guessed “economic downturn” or “poor…
[Read More]Understanding Residential Proxies: Benefits, Use Cases, and Challenges
Residential proxy services offer unique advantages for individuals and businesses needing to access the internet anonymously and…
[Read More]Beware of Ransomware! What Is It, and Who Should Be Worried?
Large and small businesses are targets for ransomware, but large companies with more to lose and more...
[Read More]Don’t Let Hackers Invade Your Router
Hacking isn’t just something that happens to phones, computers, or big business networks. A router is one…
[Read More]