Since 2002, when the first mobile phones with built-in QR code readers were introduced in Japan, the use of QR codes has steadily grown as a quick and efficient way to store and access data.

However, this increasing popularity has also led to a rise in malicious actors exploiting QR codes to execute QR code phishing, also known as quishing.

What are QR codes?

QR stands for Quick Response. It is a type of barcode that stores a lot of information as a series of pixels in a square-shaped grid. QR codes can be easily scanned by a digital device such as a mobile phone or tablet.

The data stored in QR codes can include website URLs, phone numbers, or up to 4,000 text characters. Some common uses of QR codes include:

• Link directly to app download
• Track information about products on a supply chain
• Authenticate online accounts and verify login details
• Send and receive payment information

Are QR codes safe?

QR code-generating software does not collect personally identifiable information and QR codes themselves cannot be hacked. However, the danger lies in the destination that the QR code directs you to. Attackers can send you websites that look legitimate but are potentially harmful.

What is Quishing?

Quishing is a cybersecurity threat where attackers create QR codes to redirect victims to visit harmful websites or trigger the download of malicious content. The intention behind this attack is to obtain sensitive information such as login details, banking information, or other forms of personally identifiable information and use this information for financial fraud, identity theft, or ransomware attacks. Scanning a harmful QR code and clicking the link can also result in the automatic download of malicious code, potentially compromising your device

How Quishing Works

Quishing typically involves a malicious actor creating a QR code that leads to a harmful website. This QR code is then attached to a phishing email, text message, printed flyer, or shared via social media.  Attackers may even replace legitimate QR codes with fake ones in places where QR codes are displayed publicly like in parking lots, restaurants, stores, etc.

Attackers use social engineering tactics to entice victims into downloading the link. For instance, a victim might receive a message claiming that their account has been locked, and they need to scan the QR code to verify their identity and restore access.

After scanning, the QR code directs them to a fake website that prompts them to enter sensitive information like passwords or payment details, or it initiates a malware download in the background. Once this sensitive information is obtained attackers can exploit it for various malicious purposes, including identity theft, financial fraud, or a ransomware attack.

Avoiding a Quishing Scam: Key Tips

• Scan from trusted sources: Always verify the legitimacy of the source before scanning any QR code.
• Inspect the link: After scanning, carefully check for misspellings, unusual characters, or suspicious websites.
• Beware of tampered QR codes: If the code is displayed in public, ensure it hasn’t been swapped with a fake one.
• Handle sensitive data cautiously: Never share login details or personal information on unverified websites.

Sources

• https://www.cloudflare.com/learning/security/what-is-quishing/ 
• https://www.techtarget.com/whatis/definition/QR-code-phishing 
• https://www.experian.com/blogs/ask-experian/what-is-quishing/ 
• https://www.opswat.com/blog/what-is-quishing 
• https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-phishing/what-is-quishing-qr-phishing/ 
• https://www.zdnet.com/article/quishing-is-the-new-phishing-why-you-need-to-think-before-you-scan-that-qr-code/ 
• https://www.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan
• https://www.uniqode.com/what-is-qr-code