The Rise of Quishing: The Potential Dangers of Scanning QR Codes

Scanning QR codes has been such a convenient way to get access to the information you need just by opening your camera app; however, these codes may not always be what you think they are. Last week, the Federal Trade Commission (FTC) released a consumer alert warning people to be on the lookout for harmful links hidden in QR codes. QR codes are everywhere and used for virtually anything, and naturally, bad actors have weaponized QR codes to use them in phishing attacks. Lucky for you, the FTC provided some insights into the attacks and what you need to be on the lookout for to stay protected. Phishing is a type of social engineering attackers use to deceive people into revealing or handing over sensitive information (such as usernames and passwords) or even installing malicious software. Phishing has been around for a very long time, and it has taken on numerous forms over the years. In this go-round, the attacks use QR codes, aka quishing. Since QR codes are nearly everywhere to provide users with easy access to information they need to access, people are prone to scan them without second-guessing their purpose. Seeing this vulnerability, bad actors have chosen to imitate those helpful QR codes, only to lead the person who scans it to a spoofed site, steal their information, or install malware on their device. That’s quishing. Fooling a person (or a number of people) into thinking something is harmless (or necessary), but the true intent is far from innocent. The goal is to access your information, steal your bank account credentials, and much, much more. According to the FTC, there have been reports of scammers covering QR codes on parking meters, which are there to enable people to pay for the parking spot, with their own, malicious QR code stickers. The FTC also said another common quishing attack involves sending victims a QR code by text message or email with an urgent reason that they’d have to scan it. Some reasons include saying you need to scan the code to reschedule a package delivery, pretending there’s a problem with your account and you need to scan the code to confirm information, or saying that they noticed suspicious activity on your account and you should change the information. The key factor is the sense of urgency the scammer creates in the message to get the user to scan the QR code and enter their personal information as soon as possible without thinking. Of course, these aren’t the only ways a threat actor could use a QR code to dupe people into falling for their scam. Ultimately, any QR code you see in the wild could be compromised. QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes, so consumers can access manuals on their phones. We’ve all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks. The simplest thing you can do is not scan QR codes…especially those from unknown sources. Specifically, the FTC recommends that if you see a QR code in an unexpected place, you inspect the URL before opening it. When inspecting the link, some things to look out for include making sure you recognize the URL, and even if you do, look for misspellings or a switched letter. The FTC also advises that if you receive an unexpected email or text with a QR code, don’t scan it, especially if it urges you to act immediately. If you think that the message looks legitimate, you can verify the validity of the sender by using a phone number or website that is confirmed to be authentic to verify the information. Legitimate companies will always send instructions on doing whatever it is you need to do. And most companies are not going to send a QR code so you can verify your account. Just like SMS messages from unknown sources, those QR codes could be hiding dangerous intent. So, unless you are 100% certain of the source of a QR code, never scan it with your phone. Another tip is if you receive an email with a QR code that purports to be from Company X, but you look at the sender’s email, and it’s from Gmail or some random (unknown) domain, chances are pretty good that’s a quishing attack. Lastly, the FTC recommends you protect your phone and accounts by updating your phone to its latest OS and placing strong passwords and multifactor authentication on your accounts.