Are you aware of QR code phishing or “quishing”? This form of social engineering attack is gaining popularity among cybercriminals eager to steal your data.

What Is Quishing?

QR code phishing or quishing is a type of phishing attack that uses QR codes to lure victims into revealing sensitive information. Threat actors create a QR code that looks legitimate, such as one that appears to offer a discount or special offer, but in fact, it directs the victim to a fake website controlled by the attacker.

Once on the fake website, the victim is prompted to enter sensitive information such as login credentials or credit card information, which is then stolen by the attacker. Quishing attacks can be hard to spot, as the attackers create legitimate-looking websites and logos impersonating known brands.

How Quishing Works?

The attacker creates a QR code that looks legitimate, such as for example, one that offers a discount or special offer. Then, they distribute the QR code through various means, such as email, social media, or even physical flyers.

When the victim scans the code with their smartphone or other devices, it redirects them to a malicious website or file. Alternatively, QR codes may be configured to automatically download malware onto the victim’s device, allowing the attacker to steal sensitive information or take control of the device.

What Can Happen If You Scan a Fake QR Code?

First of all, a “fake” QR code is not actually a thing. The use of the codes can cause issues; the codes themselves are not harmful. Quishing can pose several risks to both organizations and individuals.

QR codes do not only direct you to a URL. There are a few different ways in which scammers use QR codes to steal personal information or commit other crimes:

1. You Could Be Directed to a Phishing Website

Threat actors develop websites that convincingly resemble the content you expect, then they request critical information from you. But, anything you provide, including your name, phone number, and credit card number, is sent to the threat actor and can be used to steal your identity.

2. Your Device Could Get Infected With Malware

QR codes can also be configured to automatically download content onto your devices such as malware, ransomware, and trojans. Some infections have the ability to track you, steal your private data, encrypt your device, and even spy on you and your organization.

3. The QR Code Could Send Emails from Your Accounts

The codes can also be programmed to access payment sites, monitor social media accounts, and send pre-written emails. For instance, a rogue QR code can create and send emails from your account if you scan it. Scammers can utilize QR codes in a variety of ways to carry out phishing attacks or perhaps harm your reputation.

Red Flags to Look Out For

You shouldn’t be avoiding scanning QR codes entirely. Although such scams take advantage of our eyes’ incapacity to “read” QR codes, there are some signs that indicate if you are dealing with a fraudulent QR code.

• Check the destination site of the QR code: Check for mistakes and misspelled words, shoddy design, low-quality photos, and insecure URLs as indicators that you’ve landed on a bogus website. Sites that are “secure” will use HTTPS rather than HTTP and will have a padlock icon next to their URL;

• Preview the URL before accessing the link: Before directing you to the intended page, your phone will tell you the destination of the QR code. Check the URL to see if it seems safe. If the URL is shortened or unreadable, be extra cautious;

• Be cautious with QR codes in public places or in the mail: A public QR code or one you receive in the mail could have been added there by a threat actor or be easily altered. Avoid scanning these as much as possible to minimize the risk of infection;

For extra caution, avoid downloading QR code scanning apps and only use your phone’s built-in QR scanner in the camera.