For this week’s edition of Fraud Friday, we are going to look into Quishing Scams. In your day-to-day life, you probably encounter many different QR codes around town or at local businesses. Many businesses are using QR codes for you to pull up a restaurant menu or just simply directing you to a website. While the vast majority of QR codes are perfectly safe, fraudsters are beginning to use QR codes as a method of scamming you. Quishing is QR phishing, it uses QR codes to trick you into visiting malicious websites or downloading harmful content. Quishing attacks are rising quickly, increased from 0.8% of all cyberattacks in 2021 to nearly 11% in the first half of 2024. Let’s learn about this new scam and how to avoid becoming a victim.
How Does Quishing Work?
- Attackers create a QR code and link it to a malicious website. The code looks legit, and since COVID QR codes are way more common. Restaurants even use QR codes for their menus. Scanning one while out shopping wouldn’t be out of the ordinary in this day and time. More than 1/3 of smartphone users scan at least one QR code per week. If you see a QR code at a restaurant or online it wouldn’t seem out of the ordinary, and you are likely to just scan without thinking about it. Hackers and scammers know this and they are taking full advantage.
- After the QR code is created, it is shared various ways. Attackers use social engineering techniques such as promising a free gift or a discount, while other attacks involve verifying account details. You might receive these QR codes in an email or on a poster in a public place. By appearing in a familiar setting, scammers catch their victims off guard.
- Once the QR code is scanned, the victim thinks they are being directed to a real and trustworthy site, only to be redirected to a malicious one. They are then prompted to enter sensitive information and personal data. Sometimes these websites automatically download malware onto the victim’s device. Malware steals data and gives the attacker remote access to the victim’s device.
Why is Quishing so Dangerous?
- QR codes are just images, and they bypass traditional security measures.
- Once the code is scanned, the user is exposed to immediate risk with no warnings from antivirus or security software.
- The lack of typical signals makes it difficult for security tools to even identify the threats to be able to block them.
How to Protect Yourself?
- Always verify and check the legitimacy of the source before scanning a QR code. If you get an unexpected email with a code in it, don’t scan it! While in a public place, don’t just scan random codes without checking to see if it has been tampered with first.
- If it is possible, verify the URL associated with the code before scanning. If it will allow you to preview the URL you can check it out and better avoid those malicious sites.
- Keep your email security up to date and be sure that it allows for detecting and neutralizing threats from QR codes.
