News

Quishing: the dangers of phishing via QR codes 

Cybercriminals exploit the trust that many people place in these black-and-white symbols to steal login credentials, payment data, and other sensitive information. 

Phishing email with QR code

4 November 2024

Table of contents

  • What is quishing and how does it work? 
  • Techniques used in QR phishing 
  • The risks of quishing 
  • How to protect yourself from quishing 

In recent years, with the rise of mobile devices, a new cyber threat has emerged: quishing

This term refers to a specific type of phishing that uses QR codes to deceive users, encouraging them to scan a fraudulent QR code that redirects them to malicious websites. 

What is quishing and how does it work? 

Quishing, a term combining “QR” and “phishing,” is a technique in which two-dimensional barcodes, better known as QR codes (short for “quick response code“), are used to deceive victims. 

Quishin: the definition? In essence, cybercriminals create fake QR codes that, once scanned, direct users to fake websites. At first glance, QR codes may seem secure, but in reality, they can conceal cyber threats. 

An unsuspecting victim might be easily led to scan a QR code and then enter sensitive information like passwords, credit card numbers, or personal details. 

One of the most insidious aspects of QR phishing is the ubiquity of QR codes: they’re used in restaurants, advertising campaigns, business cards, and even emails.

Often perceived as safe, these codes can be easily faked by anyone with minimal technical skills.

Distinguishing a legitimate code from a fraudulent one can be challenging, as these black-and-white symbols appear identical. 

Techniques used in QR phishing 

In QR code phishing, scammers employ various methods to deceive victims.

  • Phishing email
    A common tactic is sending a phishing email containing a QR code that, when scanned, redirects the user to a site that mimics a well-known bank or online service.

    Here, the victim might be tricked into entering their login credentials, giving cybercriminals access to their accounts. 
  • QR codes
    Another method involves using fake QR codes on physical materials like flyers or stickers that appear to promote services or discounts but actually direct users to dangerous sites.

    Here, the smartphone itself becomes the means by which sensitive data is stolen or the device is infected with malware. 
Cybercriminal creating fake QR codes

The risks of quishing 

One of the main issues with quishing is that many users are unaware of the dangers associated with scanning unknown QR codes.

Since scanning happens directly on one’s smartphone, the victim often feels safer than when opening suspicious links on a computer. 

This leads many people to scan QR codes without a second thought and without verifying their authenticity.

However, once the code is scanned, it might already be too late. The victim could be redirected to a scam site that asks for sensitive information, or their device could become infected with malware. 

QR phishing attacks don’t only target login credentials or credit card numbers. They also aim to obtain other information, like email addresses or phone numbers, which can then be used for further scams. 

How to protect yourself from quishing 

Protecting yourself from quishing isn’t impossible, but it requires awareness and precautions. Before scanning a QR code, it’s essential to verify the source it’s coming from.

If a code is found in a phishing email or on a suspicious flyer, it should be treated with caution. 

Here are some tips to avoid falling into the QR phishing trap: 

  • Always ensure that the QR code comes from a reliable source. If you receive a code via email, check that the sender’s email address is legitimate. 
  • Use apps that allow you to view the QR code’s URL before opening it. This helps you know where you’re being redirected. 
  • Avoid scanning QR codes from unknown sources or in unverified public places, as cybercriminals may have replaced the original code with a fake one. 
  • Regularly update your operating system and use antivirus software on your smartphone to prevent malware infections. 

It’s also a good idea to avoid entering sensitive information on websites accessed through a suspicious QR code, especially if they ask for personal or payment data. 

Frequently asked questions

  1. What is quishing? 
    Quishing is a form of phishing that uses QR codes to redirect users to malicious websites. 
  2. How does a QR phishing attack occur? 
    Attacks occur when a user scans a fake QR code that redirects them to a site requiring personal or login information. 
  3. What risks does quishing entail? 
    Risks include the theft of login credentials, credit card numbers, and device infection with malware. 
  4. Where might I encounter fraudulent QR codes? 
    They may appear in phishing emails, flyers, advertisements, or stickers in public places. 
  5. How can I protect myself from quishing? 
    Always verify the source of the QR code, use apps that reveal the URL before opening, and avoid entering sensitive information on suspicious sites. 
  6. Are QR codes in restaurants dangerous? 
    Generally, no, but it’s always wise to check the legitimacy of the site before entering data. 
  7. What data is stolen through quishing? 
    Cybercriminals seek login credentials, payment data, and other personal information. 
  8. Can my smartphone get infected through quishing? 
    Yes, your smartphone could be exposed to malware if you scan a dangerous QR code. 
  9. How do I know if a QR code is safe? 
    Check the URL before opening and verify it comes from a trusted source. 
  10. Can I avoid QR codes altogether to prevent quishing? 
    It’s not necessary to avoid them entirely; just exercise caution and avoid scanning codes from unverified sources. 
87
To top