A Guide to QR Phishing Scam: What is Quishing and How to Prevent It

Introduction

QR codes have been playing a very important role in our lives for the past few years. Widely used for various purposes, and their impact has likely continued to grow. It is frequently used for mobile payments, commonly employed in marketing campaigns to provide consumers with quick access to websites, promotional offers, product information, or multimedia content, digital menus and orderings in restaurants, social login platforms, Two-Factor Authentication and many more. Before diving into the deep, let’s discuss about QR code in a nutshell.

What is a QR Code?

QR codes or Quick Response codes are two-dimensional barcodes that a smartphone or barcode scanner can scan. These enhanced barcodes have many advantages over the traditional one-dimensional versions that we are used to seeing on supermarket products – some of them being the large volume of data they can store, the possibility to read them even if partially damaged, and the convenience and speed of data transmission.

What is Phishing?

Phishing is a type of cybersecurity attack during which malicious actors send messages pretending to be a trusted person or entity. Phishing messages manipulate a user, causing them to perform actions like installing a malicious file, clicking a malicious link, or divulging sensitive information such as access credentials.

Now the question that comes to mind is, before you scan a QR code, are you sure you know where it is going to take you? Surely not!

As quick response codes have become a daily cup of tea, cybercriminals have begun leveraging the newly established trust we have when we interact with one in the wild. While QR Code phishing isn’t much different than your standard phishing attack, the one major difference is what makes this new approach so effective. QR attacks are built to bypass standard email security tools. Most email security software looks for things like suspicious links, dangerous file types, and impersonation attempts when determining if an email is safe to be sent to your inbox. QR code Phishing emails don’t typically contain any of these common red flags, allowing them to reach their intended target more regularly. The malicious email simply contains an image that the bad actor hopes you will scan with your smartphone and QR codes in emails aren’t the only ones you need to be wary of. Any QR code can be dangerous – on a website, street sign or even at a restaurant. It is important to always check the destination on the link before checking and if you can’t it’s best to just move on.

How does quishing work?

"Since early 2022, the FBI has warned that fake QR code scams are on the rise. These scams hijack normally safe QR codes and send you to phishing websites that steal your financial information."

Quishing (QR code+Phishing) is a type of phishing attack that uses QR codes to trick people into visiting a malicious website or downloading a virus-filled document. With the option to host a variety of sources, such as links, documents, and payment portals, QR codes can be manipulated to hold malicious links, documents containing viruses, and false payment portals. As the source behind QR codes is undetectable when pasted as a plain image, they provide the perfect opportunity for scammers to bypass security filters by including them in emails. A quishing attack begins with a cybercriminal creating QR codes that lead to either a fake login page, where they collect the credentials of their victims, or a downloadable virus or malware, which begins downloading immediately after the code is scanned. These codes can then be planted into emails as images or within attachments, but they can also be displayed in public places where victims are likely to scan them. After scanning the QR code, they are asked to provide sensitive information like login credentials or bank details or to download malicious software or apps – the download can also happen automatically right after scanning the code, further infecting their device.

How can you prevent a quishing attack?

Now you may ask, are QR codes always safe to scan? And what to do if you have already scanned an infected QR code?

Here are 10 tips and tricks to help you avoid falling victim to such attacks:

Verify the Source:

Always double-check the source of the QR code before scanning it. If you receive a QR code via email, messaging apps, or from an unknown source, be cautious. Only scan QR codes from trusted and reputable sources.

Use a Secure QR Code Scanner:

Install a reliable and secure QR code scanner app from a reputable app store. Some third-party apps may have vulnerabilities that attackers can exploit. Stick to well-known apps with positive reviews.

Inspect the URL:

Before visiting any website linked by the QR code, inspect the URL. Check for misspellings or variations that may indicate a phishing attempt. If the URL looks suspicious, avoid scanning the QR code.

Don't Share Personal Information:

Be cautious if the QR code prompts you to enter sensitive information. Legitimate QR codes should not request personal details such as passwords, credit card numbers, or other confidential information.

Use QR Code Authentication:

Consider using QR codes as a part of two-factor authentication (2FA) systems. This adds an extra layer of security and helps ensure that the QR codes are generated by a trusted authentication system.

Update Software Regularly:

Keep your device's operating system and QR code scanning apps up-to-date. Software updates often include security patches that protect against known vulnerabilities.

Enable URL Preview:

Some QR code scanner apps allow you to preview the URL before visiting the website. Enable this feature to get a glimpse of the website and decide whether it looks legitimate.

Educate Employees and Users:

If you're in an organizational setting, educate employees and users about the potential risks of QR code phishing (Quishing). Provide guidelines on safe scanning practices and encourage reporting of any suspicious QR codes.

Use QR Code Security Standards:

Implement QR code security standards and best practices. For example, some QR codes can include security features like encryption and digital signatures to enhance their authenticity.

Report Suspicious QR Codes:

If you encounter a QR code that appears suspicious, report it to the relevant authorities or the platform where you encountered it. Reporting helps prevent others from falling victim to the same phishing attempt.

Conclusion

Quishing, or QR Code Phishing, represents a potent and evolving threat in the digital landscape. This sophisticated attack leverages the widespread use of QR codes for seamless connectivity, exploiting the trust users place in this technology. As demonstrated by this malicious technique, cybercriminals can ingeniously manipulate QR codes to redirect users to deceptive websites, compromise sensitive information, and facilitate identity theft.