QR codes have become an almost indispensable part of everyday life. They are displayed on posters, in restaurants or e-mails or used to make payments. It is just this convenience which cyber-criminals are now abusing. This scam is called quishing, a combination of QR code and phishing.
What is quishing?
When quishing, scammers use manipulated or fake QR codes to lead users to fraudulent websites or tempt them to enter sensitive data. In contrast to classic phishing attacks, it is not that easy to easily see the target a QR code will lead to before you scan it, something of a disadvantage as far as security is concerned.
How does a quishing attack work?
A typical quishing attack consists of several steps:
- Criminals place QR codes in different places or stick them over existing ones. This may for instance include parking ticket machines, posters, flyer or e-mails.
- Once a victim scans this QR code, it will lead to a website which looks deceptively real (phishing website). This might be login pages, parcel or payment services.
- Should someone not recognise these and enter their access data or confirm a payment there, this information end up straight with the scammers involved.
In some rare cases, QR codes can also be abused to infiltrate smartphones with malware.
This is how to protect yourself against quishing
There are some simple precautionary measures to considerably reduce risks:
- Only scan QR codes coming from trustworthy sources.
- Only use QR code scanners which will display the content of the code first before processing it.
- Once you have scanned a QR code, always check the link destination (domain name) or payment information before opening the target website or executing any transactions.
- Don’t enter any credentials, credit card data or codes into a website retrieved via a QR code.
- Be wary of QR codes creating any pressure or urgency.
- Preferably, you should enter important website addresses manually into a browser.
Conclusion
QR codes are convenient, but not automatically secure. Quishing shows that even state-of-the-art technology can be abused. If you remain vigilant and observe some basic security rules, you can effectively protect yourself against this type of scam.
