Quishing, or QR code phishing, is a cybercrime tactic where individuals are duped into scanning a QR code with their mobile phones. This seemingly innocent action can redirect them to fraudulent websites, leading to malware installation or the theft of sensitive personal information.
QR codes, by themselves, are harmless data storage tools. However, the risks arise when they are used to store URLs, akin to the dangers of clicking on links in emails. The URL in a QR code might redirect you to a phishing site designed to steal your login credentials. Alternatively, it could lead you to a legitimate site, exploiting a vulnerability to enable unauthorized access to your account.
Another risk is being directed to a malicious website that interacts with other websites you're logged into on the same device, performing unauthorized actions. Additionally, a QR code could open an application on your device, triggering it to execute certain actions. This is similar to clicking a Zoom link that automatically opens the app and joins a meeting. While usually harmless, this feature can be manipulated to expose your data.
Therefore, it's crucial to verify the safety and source of a QR code's URL before proceeding. Don't be misled by a familiar logo on the QR code; always ensure the URL is from a trusted source for your online safety.
The Lure for Cybercriminals
Creating and deploying malicious QR codes is relatively easy and requires minimal resources. The lack of oversight in QR code creation and the ease of placing these codes in public spaces make them an attractive tool for fraudsters.
Places where a fraudster may deploy a malicious QR code to the public.
- Bulletin boards at work, schools, and grocery stores.
- Restaurants that put QR codes on menus or tabletop holders.
- Parking meters, soda machines, ticket machines, transportation hubs.
- Phishing and smishing emails and text messages with a QR code attached.
- Drive-thru lanes at fast food or financial institutions.
- Gas pumps, and ATMs.
- Storefront windows.
- Pop-up advertisements.
- Paper fliers.
How Quishing Works: Common Methods
- Email scams: Scammers often send phishing emails that contain QR codes. This technique is known as “quishing.” These emails will pose as a credible company and ask you to scan the QR code in their email. For example, they may say that your payment from an online purchase didn’t go through, and you need to re-enter your credit card information by scanning the QR code. Unsuspecting victims will scan the QR code, enter a legitimate-looking website, and enter their payment information. Now, the cybercriminal has access to their credit card information.
- Payment scams: QR codes can be used for contactless payments by legitimate businesses. Using QR codes for payments was extremely popular during the height of the COVID-19 pandemic since it allowed customers to make purchases without touching card readers, minimizing the spread of germs. However, scammers can place QR codes in public places to steal your money or credit card information. For example, criminals have placed signs in parking lots telling people that they can pay for parking by scanning the QR code. The QR code would take drivers to a website to pay for their parking that looked legitimate but wasn’t.
- Package scams: If you ever receive a suspicious package in the mail with a QR code, don’t scan it. In this type of QR code scam, criminals will send you a package in the mail that you never ordered. There’s a QR code inside the package (or on the box) that you can scan to get more information about the order or to return your order. The QR code will take you to website that prompts you to enter your personal information, like your credit card number.
- Cryptocurrency scams: QR codes are often used for crypto transactions. However, criminals can use QR codes to steal cryptocurrency from victims. They may contact you offering a “giveaway” that says you can get double the crypto if you send them crypto first. However, you’ll never get any crypto back. Scammers may also invite you in on an “investment” and ask you to send them crypto. These scammers run away with your crypto and you’ll likely never hear from them again.
- Donation scams: Scammers may impersonate a charity or create a fake charity to steal your money or credit card information. They may place QR codes on flyers or send them to you through text or email asking you to donate money to a cause.
Staying Safe: Guidelines for QR Code Usage
- Check for Tampering: Scammers sometimes replace genuine QR codes with malicious ones. Before scanning, ensure the code hasn't been stuck over another or looks out of place. For instance, a sticker placed over a printed code on a product or poster is a red flag.
- Consider the Source: Always pause for a moment to inspect the QR code before scanning, especially if it's on a physical object like a poster or flyer. This will give you a chance to identify any irregularities that might indicate a scam. Trust codes from known and reputable entities. Ensure the QR code is presented by a reputable source. For instance, if you're at a known establishment, their codes are likely trustworthy. However, be wary of random QR codes in public places or handed out by unknown individuals.
- Unsolicited QR Codes Beware: Just like any unsolicited phone call, email, text, and now QR codes, we do not know the identity or intent of the sender. Do not reply, hang up, or do not text back, or click on any links. The same goes for QR codes that are received by you without request. The ultimate choice to scan a QR code rests with you. But the safest way to ensure who you are connecting with a business, financial institution, or retailer is for you to make the first contact. If you receive a QR code from a company, retailer, or financial institution that you have a relationship with, you can also contact them on their known phone number or legitimate website. Never take the word of an incoming QR code when it comes to its authenticity.
- Inspect & Research Before You Point: QR codes have been created to get you to your destination quickly. However, a well-informed consumer should not rush into scanning a QR code. Is there another QR code underneath the visible QR code? Is the advertisement or posting with the QR code grammatically correct and it is in a place you would expect the QR advertisement to be? Would the location of the QR code be easily accessible to the criminal actor to post? QR codes are meant to shorten your time to get to a legitimate website. But if you are unsure, wouldn’t it be better to google the company or charity and go to the known website instead? Remember, the quickest way to a destination may not always be the safest way.
- Consider the Risks: Weigh the convenience of QR codes against potential threats.
- Careful Redirection: Examine the URL that appears after scanning.
- Keep Devices Updated: Regular updates can protect against certain vulnerabilities.
- Beware of Digital Dangers: When encountering a QR code in an email or on a website, ensure the source is credible. Cybercriminals often embed malicious codes in phishing emails or compromised websites. Always verify the sender's email address and check the website's URL to ensure its legitimacy.
- Scan with Caution: Remember that a QR code is essentially a link, and like any other URL on the internet, it could lead to harmful sites or downloads. Even if your scan seems safe, avoid downloading files or entering personal information unless you're sure of the destination's security.
- Stay Updated: Regularly update your mobile device’s software and apps. Updated devices often come with the latest security patches that can protect against certain vulnerabilities exploited through malicious QR codes.
- Trust Your Instincts: If something feels off or seems too good to be true – for instance, a QR code promising a big reward just for scanning – it's best to refrain.
- If It Does Not Work...Tell Someone: If you use a QR code and you get a message that there is an error or the site is down after you provide your account or PII info, tell someone right away. If you are in a restaurant, tell the manager and educate him about Quishing. If a QR code on a Parking meter does not work, call the town or local police department. The sooner these fraudulent QR codes are detected, the quicker law enforcement and businesses can react.
- Quality Check of Websites: Legitimate sites have professional designs and secure networks. Legitimate E-businesses, retailers, charities, and financial institutions will spend considerable time with professional marketing, graphic design, and most importantly, security. If the quality of the site looks poor, it very well may be a spoofed or fraudulent website. Fraudsters are looking to spend as little as possible to create a site and know that time is ticking until the gig is up for that site. Thus, the fraudster will usually cut corners to minimize their time and resources to focus on the fraud. Additionally, look for that secure network logo at the bottom of the screen to make sure it is showing as a secure website. Additionally, make sure the URL starts with “https:” That last letter indicates that it is a secure website. It does not mean that it is not a fraudulent website or the site has not been hacked, but the risk is reduced.
- Realistic Expectations: If an offer seems too good to be true, it likely is. Unreasonable discounts, significant investment opportunities, and cryptocurrency deals should be sending off red flag signals to you.
- Use a Secure QR Scanner: Some smartphone apps offer QR scanning with built-in security features that check the destination before fully opening it. Consider using one of these apps to add an extra layer of protection.
- Disable Automatic Scanning: Some scanners on your cellular device can automatically scan QR codes. Make sure you disable that function on your phone to prevent your device from scanning malicious QR codes.
- Use Malware-Detecting QR Readers: Ensure your device is protected.
Actions If You Fall Victim to Quishing
- If you provided your account information, contact that financial/retail institution immediately and have the account closed. If you provided any passwords to security questions to the accounts, change them.
- If you provided your PII information, file an identity theft report with your local police department as well as with the Federal Trade Commission (https://reportfraud.ftc.gov/#/). Provide the suspected location of the QR code that you scanned as well as the URL link from your history browser, but do not go onto the site to view it again.
- Notify the credit bureaus and file an identity theft report and request a “Credit Freeze.” This will prevent anyone from opening a new account with your PII information. However, you are going to still need to monitor your existing accounts for fraud. Depending on the PII information you provided, the fraudster may be able to access multiple accounts that are associated with you.
- If you suspect that you downloaded malware onto your Android device, you have two options.