Quishing is the QR Code Threat You Need to Know About Before Scanning. FTC Warns of Scammers Concealing Harmful Links.
Do you frequently scan QR codes in public spaces? While they offer convenience for accessing links and processing payments, they also come with inherent risks. Discover how a simple QR code scan could potentially lead to significant financial losses and learn essential tips to mitigate these risks.
Quishing, a deceptive practice where scammers employ phishing tactics through QR codes, has become increasingly prevalent worldwide. Despite previous discussions on identifying and avoiding such schemes, this form of phishing continues to ensnare unsuspecting victims at an alarming rate.
So, how exactly can quishing lead to substantial financial losses? The inherent convenience of QR codes often leads individuals to underestimate the potential risks associated with scanning them. Consequently, users may unwittingly comply with the instructions embedded in the QR code, directing them to a fraudulent website or service. Exploiting this false sense of security, scammers target areas where QR codes are commonly used for payments.
By meticulously replicating legitimate websites linked to QR codes, scammers lure victims into believing they are accessing authentic platforms.
By meticulously replicating legitimate websites linked to QR codes, scammers lure victims into believing they are accessing authentic platforms. Once directed to the counterfeit website, victims are prompted to divulge sensitive personal information, including payment details. With this information in hand, scammers gain unrestricted access to the victim’s bank account, enabling them to engage in unauthorized transactions and fraudulent activities.
Quishing Attack Examples
Having thousands of dollars stolen from scanning a bad QR code sounds like science fiction, but it’s very much a reality. Here are some of the more common attack vectors quishers use.
1. Parking Meter and Charging Point Attacks
Some car parking meters and charging points use QR codes as part of the payment process. To pay your fee, you scan a code that directs you to a payment website or an app to download.
Scammers hijack these QR codes by sticking their malicious version over the original. When someone goes to pay for their parking or electricity, they scan the app, enter their payment details into the fake website or app, and send it unknowingly to the scammers.
It may seem unrealistic that people could lose thousands to these scams, but it has happened before. As reported by ITV, one person lost £13,000 ($16,500) after scanning a bad QR code on a parking machine.
2. Email QR Code Attacks
Sometimes, scammers will send an email with a QR code attached. The scammer will convince you to scan it; for example, they may state that it’s to download an important app or claim to be law enforcement asking for payment. When the victim scans the QR code, they are led to a fake website or app that asks for their credit card information.
HP Threat Research reported that this method of attack saw a spike in China in 2022 with an email claiming the recipient was entitled to a government grant. The process asked users for their full credit card information, including details on their current balance.
3. Fake QR Code Generators
In some cases, the scammer sets up a fake QR code generator to trick people. This usually happens when people can use QR codes to ask for payments, as the scammers can sneak into their accounts instead of the original generators.
BitDefender reported an example where several websites set up fake QR code generators for Bitcoin wallets. The website asked the user for a wallet ID and promised to generate a QR code that payees could easily scan and use when, in reality, the code pointed to the scammer’s own Bitcoin wallet.
How to Check If a QR Code Is Safe
Quishing sounds scary, but you can stop the scams before they access your financial information with a few easy security tips.
Check If the QR Code Has Been Tampered With
If you’re scanning a QR code in public, make sure that the code hasn’t been altered. Look for signs somebody has stuck a sticker over the original QR code; if it does, do not scan the QR code.
Similarly, if you’re generating a QR code to receive payments, be sure to scan the QR code yourself and double-check that the payments will go where you think they’ll go.
Double-Check the URL or Website After Scanning
After you’ve scanned a QR code, always double-check the URL or the website that comes up. A scammer’s website will have a strange-looking URL, or the website won’t “feel right.” Go through the steps to check if a website is safe, and if anything looks suspicious, do not enter any payment information into the website.
Look for Alternate Methods to Pay
If the QR code looks suspicious, or you’d rather not take the risk, look for another way to pay. For example, if the QR code claims it will lead you to an app, manually search for it on your phone’s app store instead. If the recipient allows alternate payment methods, use those or ask about them with an employee.
Quishing attacks can cost you, but the best defense against them is to know how they work and what to look out for. If a QR code takes you somewhere fishy, don’t enter your payment information.