Quick Links
Do you scan QR codes in public places? They’re very convenient for opening links and making payments, but they also hold their fair share of risks. Here’s how scanning a QR code can cost you thousands and how to avoid it.
What Is Quishing?
Quishing is a portmanteau of “QR” and “phishing.”
Quishing is when a scammer commits an act of phishing through a QR code, which activates when you scan it. We’ve previously coveredwhat quishing is and how to spot I, but this dangerous form of phishing is seeing a significant uptick in victims worldwide.
How Can Quishing Cost You Thousands?
Quishing is dangerous because most don’t take scanning QR codes seriously. As such, we’re more likely to follow the QR code’s instructions, heading to whatever URL or service the QR code links to. The reduced sense of security allows scammers to attack areas where people use a QR code to make a payment. The scammer studies the website the QR code links to, creates a replica, and then replaces the legitimate QR code to point to their cloned website.
When a victim scans the fake QR code, they’re taken to the fake website, believing they’re visiting a legitimate website. The fake website asks for personal details, including payment information. Once the scammers get a hold of those, they can perform a shopping spree using the victim’s bank account.
3 Quishing Attack Examples
Having thousands of dollars stolen from scanning a bad QR code sounds like science fiction, but it’s very much a reality. Here are some of the more common attack vectors quishers use.
1. Parking Meter and Charging Point Attacks
Some car parking meters and charging points use QR codes as part of the payment process. To pay your fee, you scan a code that directs you to a payment website or an app to download.
Scammers hijack these QR codes by sticking their malicious version over the original. When someone goes to pay for their parking or electricity, they scan the app, enter their payment details into the fake website or app, and send it unknowingly to the scammers.
It may seem unrealistic that people could lose thousands to these scams, but it has happened before. As reported byITV, one person lost £13,000 ($16,500) after scanning a bad QR code on a parking machine.
2. Email QR Code Attacks
Sometimes, scammers will send an email with a QR code attached. The scammer will convince you to scan it; for example, they may state that it’s to download an important app or claim to be law enforcement asking for payment. When the victim scans the QR code, they are led to a fake website or app that asks for their credit card information.
HP Threat Researchreported that this method of attack saw a spike in China in 2022 with an email claiming the recipient was entitled to a government grant. The process asked users for their full credit card information, including details on their current balance.
3. Fake QR Code Generators
In some cases, the scammer sets up a fake QR code generator to trick people. This usually happens when people can use QR codes to ask for payments, as the scammers can sneak into their accounts instead of the original generators.
BitDefenderreported an example where several websites set up fake QR code generators for Bitcoin wallets. The website asked the user for a wallet ID and promised to generate a QR code that payees could easily scan and use when, in reality, the code pointed to the scammer’s own Bitcoin wallet.
How to Check If a QR Code Is Safe
Quishing sounds scary, but you’re able to stop the scams before they access your financial information with a few easy security tips.
Check If the QR Code Has Been Tampered With
If you’re scanning a QR code in public, verify that the code hasn’t been altered. Look for signs somebody has stuck a sticker over the original QR code; if it does, do not scan the QR code.
Similarly, if you’re generating a QR code to receive payments, be sure to scan the QR code yourself and double-check that the payments will go where you think they’ll go.
Double-Check the URL or Website After Scanning
After you’ve scanned a QR code, always double-check the URL or the website that comes up. A scammer’s website will have a strange-looking URL, or the website won’t “feel right.” Go through thesteps to check if a website is safe, and if anything looks suspicious, do not enter any payment information into the website.
Look for Alternate Methods to Pay
If the QR code looks suspicious, or you’d rather not take the risk, look for another way to pay. For example, if the QR code claims it will lead you to an app, manually search for it on your phone’s app store instead. If the recipient allows alternate payment methods, use those or ask about them with an employee.
Quishing attacks can cost you, but the best defense against them is to know how they work and what to look out for. If a QR code takes you somewhere fishy, don’t enter your payment information.
