Scammers use the speed and simplicity of QR code interactions, quishing attacks have emerged as a new threat that hides in plain sight. Since scanning only requires a quick image capture, users often overlook potential risks. Let’s have a look at how the scam works and which exact problems can they lead to..
Quishing: QR Code Phishing on the Rise
As mobile devices become central to our daily activities, QR codes have emerged as a convenient shortcut to connect users with digital content, websites, and apps. From restaurants to event venues and even product packaging, scanning a QR code has quickly become second nature for many.
However, this convenience has not gone unnoticed by cybercriminals, who have begun exploiting it in a phishing technique called “quishing” (QR phishing). Hackers can create malicious QR codes that lead users to fake websites, collecting sensitive data or downloading malware. These codes can also grant permissions that compromise device security.
Quishing represents an evolution in phishing techniques, as the anonymized appearance of QR codes adds a layer of deception that traditional phishing emails lack. Unlike emails or suspicious links that may raise a red flag with their appearance, QR codes are unintelligible, with no clue about the destination URL or app behind a coded pattern. This setup plays into a sense of urgency and habitualness, often bypassing the skepticism that might otherwise prevent a user from engaging with potentially dangerous links.
How Quishing Works?
Quishing attacks exploit the combination of QR codes’ convenience, ease of creation, and capacity for anonymity. Anyone can easily generate a code online for free. Even simple codes can direct users to malicious sites or unauthorized apps. This is partly due to the instant nature of QR code interactions. Here’s how typical quishing attacks play out:
Stage 1. Malicious QR Code Creation
Scammers generate malicious QR codes using free online tools. These QR codes may link to a phishing website, a malware downloader, or an app that requests excessive permissions. In some cases, these codes are disguised to look as if they lead to legitimate sites by mimicking brand names or links.
Stage 2. Distribution and Placement
Criminals print the malicious QR codes and paste them over legitimate codes in high-traffic or trusted locations, such as public transportation stations, restaurants, office buildings, and parking meters. This tactic leverages the understandable credibility of these environments, where people expect codes to be safe.
Stage 3. Targeted Interaction
Once a user scans a fake code, they are redirected to a phishing website or malicious app. These sites may prompt the user to enter personal information, download malware, or agree to permissions that allow access to contacts, device location, and even financial details. QR codes can also direct users to unsafe apps or bypass certain security protocols, increasing the chances of device compromise.
Stage 4. Resulting Attack
If the victim provides their information or grants permissions, scammers gain access to sensitive data, which can lead to financial loss, identity theft, or unauthorized access to personal accounts. Many quishing schemes also enable attackers to retain long-term access, using acquired permissions to collect further data or even monitor device activity.
How to Counteract?
Since this is a non-obvious scam, it’s important to stay vigilant when scanning any codes, wherever you go. For a deeper dive into QR code scams, check out our detailed post on the topic. To avoid unwanted consequences from the code scanning, do the following:
1. Look for signs of physical tampering. Check the QR code closely to make sure it is not physically pasted on top of another code. Scammers often stick a fake code over a legitimate one in public places, so users scan it without any doubt, expecting it to be a genuine code with genuine result.
2. Once scanned, take your time to interact with the result. Most smartphones today have a built-in QR code scanner directly in the camera app. When scanning a code, the camera will usually show a preview of the link the code suggests you click on. Ensure the link is legitimate and corresponds to what you’re expecting to open before clicking on it.
3. Never scan QR codes in random places. It may be funny to see a code stuck on the door of a public restroom, but will be much less funny to see the consequences of it being a phishing page or an exploit landing. Curiosity is natural for humans, sure, but it is sometimes wise to tune it down for the sake of safety.
