If a scammer has your phone number, you should lock your SIM card, secure your online accounts with strong passwords and block spam calls from your
QR code phishing, most commonly referred to as “quishing,” is a type of phishing attack that tricks users into scanning QR codes to steal personal information such as login credentials or credit card numbers. When a user scans a QR code created for a quishing attack, they are taken to a malicious website that either downloads malware on their phone or asks for their personal information.
Continue reading to learn more about quishing, how it differs from phishing, how it works, why it is dangerous, the signs of a quishing attack and how to prevent falling victim to one.
Quishing vs. Phishing: What’s the Difference?
Phishing is a type of cyber attack that tricks people into revealing their personal information. Cybercriminals will send messages, typically through email or text messages, to users with a malicious attachment or link. When the user clicks on the link, they are taken to a fake website that either downloads malware on their device or tricks them into revealing their personal information.
Quishing is a type of phishing attack, but instead of using attachments or links, it uses QR codes for users to scan that directs them to a malicious website. Both quishing and phishing try to steal a user’s personal information, but differ in the methods they use.
How Does Quishing Work?
To initiate a quishing attack, cybercriminals first create a fake website. These fake websites try to impersonate legitimate websites with the goal of either downloading malware on the user’s device when they land on the page or tricking users into revealing their sensitive data.
Once the fake website is created, cybercriminals create a QR code that links to the fake website. A QR, or Quick Response, code is a two-dimensional barcode that holds encoded data, such as a link, and can be scanned by a phone or barcode reader.
When the QR code is created, the cybercriminal will send the QR code via email or text messages, or place it in public spaces such as on flyers or posters, for victims to scan. When a victim scans the QR code, they are sent to the malicious website which will prompt them to reveal their sensitive information.
The Dangers of Quishing
Quishing attacks are dangerous because they can easily be created by cybercriminals and hide malicious links behind QR codes. QR codes are not difficult to make and can be created by anyone. A cybercriminal uses a QR generator to create the QR code and embed the malicious link into it. Because the malicious link is embedded in the QR code, it is difficult to spot a malicious link right away, allowing quishing attacks to bypass spam filters. Since you can’t see the malicious link initially, it is easy to fall for quishing attacks that could allow unauthorized users into your accounts.
Signs of a Quishing Attack
Quishing is harder to detect since QR codes are used instead of links or attachments. However, you can still spot the signs of a quishing attack because they are similar to those of a phishing attack. Here are the signs of a quishing attack to look out for.
QR code sent from a suspicious sender
Quishing attacks will often try to impersonate a legitimate business or a colleague from work sending you a QR code for you to scan. However, you may notice inconsistencies between the sender’s name and the email address, such as the sender’s name not matching up with the email address. The email may also be sent from a public domain such as Google or Yahoo.
Spelling or grammatical errors in the message
If you notice spelling or grammatical errors in a message with a QR code, then it is a sign of a quishing attack. Legitimate businesses check their emails multiple times for any spelling and grammatical errors before sending them. If a message contains spelling or grammatical errors, it is most likely a cybercriminal trying to impersonate a legitimate business.
Urgent language to scan the QR code
If the message with the QR code is urgently trying to get you to scan the QR code, then it is most likely a quishing attack. Cybercriminals may use urgent language to scare you into scanning their QR code and giving up your personal information. They’ll make you think you are missing out on a great offer, in danger or need to confirm something with your personal information.
Errors in the QR code’s website address
When you scan a QR code, before landing on the intended page, you can preview the link to the page. If you notice that the link has been shortened, is unreadable or contains spelling errors, then the link most likely leads to a malicious website for a quishing attack. If you accidentally opened the link from the QR code, look for any discrepancies on the website such as misspellings or format mistakes, and avoid interacting with the website.
QR codes with too-good-to-be-true offers
Some QR codes may try to promote great deals such as discounts, special offers or free stuff. If they seem too good to be true, they probably are. Cybercriminals will say anything to get you to scan their malicious QR code. They’ll trick you into thinking you are getting a great deal when in reality, you are falling for their scheme. You should investigate the offer before taking any action.
Request for personal information
A sudden or unprompted request for personal information is most likely a sign of a quishing attack. A legitimate business or colleague from work will never ask for sensitive information such as your login credentials or credit card information by email or text.
Discrepancies with physical QR codes
Not all quishing attacks are attempted online, some malicious QR codes are placed in public places such as restaurants and parks. They can be distributed on flyers, posters or stickers for people to scan. Some malicious QR codes are placed over legitimate ones to trick users into scanning them. If there are any suspicious discrepancies with the physical QR code from a legitimate business, it has most likely been tampered with by cybercriminals and replaced with a malicious QR code. You should contact the business directly to confirm the authenticity of their QR codes.
How To Prevent Quishing Attacks
Quishing is a relatively new and dangerous way of stealing a user’s personal information. However, the tactics to prevent traditional phishing attacks still apply to quishing. Here are the ways to prevent falling victim to quishing attacks.
Avoid scanning unsolicited QR codes
You should avoid scanning any unsolicited QR codes when you don’t know the source. If you get an unsolicited message urging you to scan a QR code or if you see a QR code in public, you should avoid scanning it because it may be a quishing attempt that leads to a malicious website.
Check the QR code’s website address for any discrepancies
When you scan a QR code, you are given a preview of the QR code’s website address to click to open the link. Always check the link of the QR code before clicking on it and examine it to see if there are any discrepancies in the URL. If you notice any spelling errors or unfamiliar domain names, the QR code is most likely directing you to a malicious website.
Contact the company that sent you the QR code through other means
If you received a QR code from a company or person you recognize, you should try contacting the business or individual directly through other means of communication and ask them about the QR code. You can also visit the company’s website directly rather than using the QR code.
Use strong and unique passwords to protect your accounts
Just like any phishing attack, quishing will try to steal your login credentials and access your accounts. Your online accounts can contain personal information such as your credit card numbers or home address. You need to use strong and unique passwords to protect your personal information from cybercriminals. Strong and unique passwords make it difficult for cybercriminals to gain access to your accounts.
You should also use a password manager to store your passwords. A password manager is a tool that securely stores and manages your personal information in an encrypted vault. A password manager protects your login credentials using encryption and can only be accessed with a master password. With a password manager, you can access all of your unique passwords whenever you need them.
Some password managers help prevent phishing attempts by storing the URL of an account’s login page. Whenever you try to log in to your accounts, your password manager will autofill the login credentials when you are on the stored login page. However, if you are on a fake website, your password manager won’t autofill your login credentials, preventing cybercriminals from stealing your login credentials.
Enable MFA on your accounts
Multi-Factor Authentication (MFA) is a security measure that requires you to provide additional forms of authentication to gain access to an account or device. Enabling MFA gives you even more control over who has access to your online accounts. It adds an extra layer of security by verifying the identity of authorized users. Even if your login credentials were compromised from a quishing attack, cybercriminals would not gain access to your accounts because they are protected by MFA.
Keep your software up to date
To prevent cybercriminals from exploiting security vulnerabilities on your device, you should keep your software up to date. Software updates come with patches that remove security flaws and add new security features that better protect your device.
Install antivirus software
Antivirus software is a program that can detect, prevent and remove known malware from infecting your device. You should install antivirus software on your phone to prevent quishing attacks from installing malware on your phone. If you accidentally scan a QR code from a quishing attack and land on a malicious website, antivirus software will prevent malware from automatically installing on your device.
Protect Yourself From Quishing Attacks With Keeper
Although quishing attacks can be scary to deal with, you can easily protect yourself by avoiding QR codes from suspicious and unknown sources, using strong and unique passwords, enabling MFA, keeping your software up to date and installing antivirus software on your device.
However, the best way to protect yourself from quishing attacks is by using a password manager. With a password manager, your login credentials are protected by different levels of encryption.
Keeper® Password Manager offers the feature KeeperFill®, which automatically fills your login credentials stored in your password manager whenever you land on the login page for your accounts. Sign up for a free trial of Keeper Password Manager to protect yourself from quishing attacks.