What is quishing?

Quishing, or QR phishing, is a social engineering attack in which attackers use malicious QR codes to trick people into revealing sensitive personal information, downloading malware, or making unauthorized payments.

Essentially, it’s like traditional phishing, but instead of clicking a malicious link in a phishing email, victims scan a QR code that leads them to a fraudulent website or download harmful software onto their devices.

The rise of QR codes

QR codes (short for “quick response”) were invented in 1994 to track car parts in Japan. Today, we use them everywhere—from restaurant menus and store displays to online ads and social media posts. Experts predict that over 100 million smartphone users in the U.S. alone will be scanning QR codes by 2025.

Unlike traditional barcodes, which only store a small amount of information, QR codes can hold much more data.

How does quishing work?

Creation of a malicious QR code

First, the attacker creates a QR code that links to a malicious website or downloads malware. This website often mimics a legitimate site, such as a bank, social media platform, or online store.  

Distribution of the QR code

Attackers spread these malicious QR codes through various channels:  

  • Emails: You might receive an email with a QR code with a sense of urgency, prompting you to scan it quickly to claim a prize, access an exclusive offer, or view an important document. While their actual goal is to steal sensitive information.
  • Social media: They might post the QR code on social media platforms, enticing users to scan it for a discount, contest entry, or access exclusive content.  
  • Physical locations: Attackers might print out the QR code and place it in public places, such as posters, flyers, or stickers attached to products or payment terminals.  

The victim scans the code

An unsuspecting user scans the QR code with their smartphone or tablet.  

Redirection to malicious content

The QR code automatically redirects the victim to the attacker’s website or initiates a malware download.  

Information theft or malware installation

If it’s a phishing website, the victim might be tricked into entering their login credentials, financial information, or other sensitive data. The website might look almost identical to the real one, making it difficult to spot the deception.

If the QR code triggers a download, malware might be installed on the victim’s device. This could be spyware that steals data, ransomware that encrypts files, or any other type of malicious software.

Common targets of quishing

While businesses handling sensitive financial data (like banks, online stores, and payment systems) are prime targets for quishing attacks, individuals are also at risk.

Scammers often impersonate trusted brands like Amazon, Wells Fargo, LinkedIn, and Apple to lull victims into a false sense of security. The familiarity of these brands makes people more likely to scan a QR code without a second thought, potentially compromising their personal information.

How can end-users prevent quishing?

Here’s a breakdown of how end-users can protect themselves from quishing attacks, keeping it simple and clear:

1. Be cautious

  • Think before you scan: The best security measure is not scanning QR codes from unknown or untrusted sources. This includes email addresses from unknown senders, flyers on the street, or stickers randomly placed in public spaces.  
  • Check the source: If a QR code is from a company or organization, verify that it’s legitimate. Look for official branding, contact information, and a secure website (https://).  
  • Be wary of unsolicited QR codes: If you receive a QR code out of the blue or if it promises something too good to be true (like a free prize or a huge discount), consider it a red flag.

2. Examine the QR code (if possible)

  • Use a QR code scanner with a preview feature: Some QR code scanners show you the URL before you visit it. By doing this, you to check if the link looks suspicious or leads to a website you don’t recognize.  
  • Be wary of short URLs: Shortened URLs (like bit.ly links) can hide a QR code’s true destination. If possible, try to expand the URL before visiting the website.  

3. Pay attention to your surroundings

  • Be cautious of QR codes on posters or flyers: Attackers might tamper with legitimate QR codes by placing their own malicious stickers on top.  
  • Be extra vigilant in public places: Be careful when scanning QR codes at restaurants, cafes, or public transport, as attackers might place malicious codes in these locations.  

4. Keep your devices secure

  • Install reputable antivirus and anti-malware software: This can help protect your device from malware that might be downloaded through a malicious QR code.
  • Keep your software updated: Software updates often include security patches that can protect you from known vulnerabilities.  

5. If in doubt, don’t scan

It’s always better to be safe than sorry. If you have doubts about a QR code’s legitimacy, don’t scan it.

Applying best mobile security practices

You don’t need a special app to scan QR codes – your smartphone’s camera is usually all you need. But that convenience comes with risks. Here’s how to stay safe:

  • Strong passwords are key: Use strong, unique passphrases for each account. These are longer, more memorable passwords that combine words, numbers, and symbols.
  • Multi-factor authentication (MFA): Whenever possible, enable MFA. This adds an extra layer of security by requiring a second form of verification (like a code sent to your phone) in addition to your password.
  • Install security software: A reliable antivirus or security app can help block malicious links and prevent automatic downloads, acting as a safety net when you scan a QR code.
  • Stay informed about phishing: Keep learning about the latest phishing tactics. Be wary of emails that pressure you into scanning a QR code with urgent language or tempting offers. Always check the sender’s address and look for red flags like spelling errors or requests for personal information.

FAQs

Table of contents

Dec 4th, 2024
6 min read

Keep on exploring

Read some of our latest blog posts

Explore all blog posts

Infobip and SplxAI: Ensuring the safety and security of GenAI solutions

Learn how our partnership with SplxAI will enable your business to unlock the full potential of conversational AI systems without the worry of data breaches and hallucinations.

November 14, 2024

What is vishing (voice phishing)?

Vishing, short for voice phishing, is a fraudulent activity where scammers use phone calls to deceive individuals into revealing sensitive personal information.

August 14, 2024

SMS encryption: Are your text messages secure?

Dive into the world of SMS encryption with this informative breakdown. Keep your customers’ conversations safe and ensure your business privacy is protected.

June 6, 2024

Everything you need to know about generative AI and security

Generative AI is here and we marvel at its astounding powers. But, can these powers be used for more nefarious purposes? Read to find out more!

April 28, 2023