In the age of QR codes, cybercriminals are using a technique called “quishing” to trick people into visiting malicious websites. Read on to learn more about this scam, the various forms of QR code phishing, and how to protect yourself from such attacks.
What is Quishing?
Quishing is a type of cyberattack that uses QR codes to trick people into visiting malicious websites or revealing sensitive information. This attack exploits the trust and convenience associated with QR codes to deceive victims. Quishing is also known as QR code phishing, QR code spoofing, or QRishing.
How do QR code phishing attacks work?
A typical phishing attack using quishing or a QR code consists of five main steps:
- Distribution: Fraudsters create fraudulent QR codes and distribute them through various means, such as printing them on flyers, posters or labels, or sharing them digitally via email, SMS or social media.
- Deception: Fraudulent QR codes usually look legitimate and may promise enticing offers, discounts, or services to lure potential victims.
- Scanning: Victims discover the QR code and use their mobile devices equipped with QR code reader apps to scan it.
- Redirection: When scanning a QR code, the victim’s device is redirected to a malicious website controlled by the attackers. This website typically mimics a trusted or well-known site.
- Data theft: A fake website may entice a victim to enter sensitive information, such as login credentials, personal data, or financial information, by posing as a legitimate source requesting the information provided.
Types of Quishing Attacks
QR code phishing attacks can take many forms, and attackers use a variety of tactics to deceive victims. Here are a few examples:
- Fake product discounts: Scammers distribute QR codes promising significant discounts on popular products or services. When scanned, the QR code redirects users to a fake website where they are asked to provide personal information and payment details. The promised discount is never delivered.
- Fake event tickets: Scammers create QR codes for events that don’t exist or tickets they don’t have. Unsuspecting victims scan the codes, believing they’re buying tickets, only to lose their money and have their personal information stolen.
- Job offer scams: Fraudsters may send fake job offers via email or social media with a QR code for the job application. When scanned, the code redirects the user to a phishing page requesting personal and financial information.
- Banking and financial fraud: Fraudsters may send QR codes that appear to be from a user’s bank, claiming they are linked to important account information. Scanning the code redirects the user to a fake banking website designed to steal credentials and financial information.
- Cryptocurrency scams: Scammers create deceptive QR codes and distribute them through various channels, such as email, social media, or even physical stickers. Unsuspecting victims scan these codes, believing they are initiating legitimate cryptocurrency transactions, but in reality, they are sending their funds to the scammer’s wallet.
- Charitable donation scams: Scammers distribute QR codes purportedly for charitable donations. When scanned, the code redirects users to a fraudulent donation page where their payment information is captured.
- Parcel delivery scams: Scammers send QR codes in emails or text messages, claiming to track package delivery information. When the recipient scans the code, they are redirected to a fake website that searches for personal information or delivers malware.
- Restaurant and Menu Fraud: Following the increase in QR code use during and after the COVID-19 pandemic, scammers distributed QR codes on counterfeit restaurant menus. When scanned, these codes redirected to malicious websites that attempted to install malware or steal personal information.
These are just a few examples of phishing attacks using QR codes. QR codes are convenient tools, but they can be used by cybercriminals to trick people into revealing sensitive information or becoming victims of various scams. It is crucial to exercise caution when scanning QR codes, especially those from unverified or unsolicited sources, and to verify their legitimacy before taking any action.
Examples of Fraud in the Real World
Chinese quishing attack targets bank accounts
In a QR phishing campaign emerged in China, in which scammers posed as the Chinese Ministry of Finance. They sent fake emails, tricking users into believing they could apply for a new government grant. The trick was to prompt users to scan a QR code embedded in an attached document using a mobile messaging and payment app like WeChat. Hackers often target QR codes because they are difficult to detect with technical security measures. Furthermore, mobile devices, which are commonly used for such activities, can be less secure than computers. After scanning the code, users were redirected to a web page asking them to provide details of their credit cards and bank accounts.
Pay-to-park kiosks and parking ticket scams in the US
In a US case, cybercriminals placed counterfeit QR code stickers on parking kiosks, tricking drivers into believing they could use them to pay for parking. When scanning these codes, drivers were redirected to a fraudulent website where they entered their credit card information, inadvertently exposing their sensitive data to hackers. A similar incident occurred in Atlanta when drivers found counterfeit parking tickets with QR codes on their cars, supposedly for ticket payments. After the issue was discovered, local authorities issued a warning against using QR codes on their parking tickets.
What is QRLJacking?
A related concept to quishing is QRLjacking. Quick login (QRL) is an authentication method that uses QR codes to log in to websites, apps, or digital services. Users scan the QR code on the login screen with their smartphone, granting direct access or initiating secondary authentication for multifactor settings.
However, hackers can use QRL in the following ways:
- They initiate a client-side QR session on the target website or app.
- They clone a legitimate QR code and forward it to their server.
- They embed this modified QR code into a fake login page that looks like the original.
- A link to a fake login page is distributed via email or other channels, prompting users to click and scan a QR code.
- If multi-factor authentication is not active, scanning the QR code gives an attacker access.
Signs of a Quishing Attack – What to Look Out For
QR phishing often bypasses malware detectors and email filters by concealing QR codes in emails or attached documents with inconspicuous extensions. This obscurity, combined with emotional manipulation or social engineering, entices victims to scan malicious QR codes for fraudulent purposes. Beware of the following signs of QR phishing:
- Unusual sources: Be cautious if you receive QR codes from unexpected or unwanted sources, especially in emails or messages from unknown senders.
- Inappropriate domain: Check if the QR code redirects to a different domain or website than the one it claims to represent. This could be a sign of phishing.
- Grammar and Spelling: Poor grammar and spelling in cover messages or instructions may indicate a phishing attempt.
- Urgent requests: Beware of QR codes that contain urgent requests for immediate action, such as threats or promises of rewards.
- Multiple authentication steps: QR code login authentication typically involves a one-time scan. If you’re prompted to enter additional information or actions, it could be a phishing attempt.
- Excessively personal information: Requests for highly personal information, such as Social Security numbers or detailed financial data, can be a red flag.
- Unusual permissions: If you are prompted to grant extended permissions to a mobile app after scanning a QR code, exercise caution and investigate further.
QR phishing tactics vary, so it’s important to be vigilant and careful to avoid falling victim to this scam.
How to Prevent Quishing
To protect yourself from QR phishing, follow these guidelines:
- Verify the source: Always verify the source of a QR code before scanning it, especially if it is from an unknown sender.
- Be skeptical of unwanted QR codes: Exercise caution when encountering unwanted QR codes in emails, text messages, or physical materials.
- Check for spelling and grammar errors: Carefully review advertising materials for spelling and grammar errors, which are often found in scam messages.
- Inspect the target URL: Before scanning, ensure that the target URL matches the expected source and appears valid, without any suspicious or misspelled elements.
- Inspect the landing page: After scanning, carefully examine the content and design of the landing page. Legitimate pages are more likely to look professional and error-free.
- Beware of immediate requests for information: Be wary if a landing page immediately asks for sensitive information, such as login credentials or payment details. Legitimate services typically don’t ask for this information upfront.
- Check special offers or discounts: Independently verify offers promised via QR codes on the official website or directly from the company. If something seems suspicious or too good to be true, trust your instincts and avoid scanning the QR code.
- Look for HTTPS: Check for a secure connection (HTTPS) on the redirected website. The “S” stands for “secure” and indicates that the website has an up-to-date security certificate.
- Use two-factor authentication (FA): Enable FA for your online accounts to add an extra layer of security in case your credentials are compromised.
- Report suspicious activity: Report suspected QR phishing attacks to the appropriate authorities, your organization’s IT department, or your email service provider.
- Educate yourself and others: Stay up-to-date on cybersecurity news and threats to recognize potential risks. Share your knowledge about QR phishing and other online threats with friends and family to improve online safety together.
- Stay informed: Make sure your mobile device’s operating system and apps are regularly updated with the latest security patches to reduce your risk of becoming a victim of such attacks.
- Install security software: Protect your devices with the latest security software, like Kaspersky Premium, which blocks malicious websites and protects against a range of online threats.
By following these tips and being vigilant, you can significantly reduce your risk of becoming a victim of QR phishing attacks and other types of online fraud. Prioritizing online security is essential in today’s digital world, where QR codes are widely used.
Frequently Asked Questions About Quishing and QR Code Phishing Attacks
What is quishing?
Quishing involves cybercriminals using QR codes to lead people to fake websites, tricking them into providing personal or financial information or downloading malicious content. Quishing is also known as QR code phishing, QR code spoofing, or QRishing.
What steps should I take if I suspect I have been subjected to a quishing attack?
If you believe you’ve been phishing using a QR code, immediately disconnect from the page and avoid sharing any personal information. Change your passwords and, if possible, enable two-factor authentication (2FA). Notify your company’s IT department or help desk about the service involved. It’s also important to report the incident to the appropriate authorities or your email provider’s help desk to prevent future attacks.
How can I protect myself from fraud?
To stay safe, always verify the source of a QR code before scanning it, especially if it’s from an unknown sender. Be wary of unsolicited QR codes received via email, SMS, social media, or printed materials. Check the target URL before or immediately after scanning; the site should appear legitimate. Be skeptical of offers that seem “too good to be true” and confirm them directly with the official website or company. Look for HTTPS and a valid certificate on the landing page, and, when possible, enable two-factor authentication (2FA) for your accounts. Finally, get educated and share this knowledge with colleagues and family. Keep your systems and applications updated and use reliable antivirus software.