Quishing: The QR Code Scam You Need to Watch Out For
Over the last few years, QR codes have become more popular than ever. In restaurants, retail settings, doctor’s offices…just about everywhere. With the rise of any new technology comes the rise in ever-evolving means of digital deception. QR codes are no different and a new threat has emerged — Quishing, a sophisticated QR code scam that preys on unsuspecting individuals.
What is Quishing?
Following in the steps of “Phishing and Smishing”, Quishing is such a new concept that even its very name is up for debate. This type of attack may go by the names “Quashing,” “Qishing,” or “QR Phishing.” Regardless of the official name, this is a new type of attack HTC thinks you should be aware of. After all, awareness is one of your best methods of prevention.
Quishing involves manipulating QR codes to redirect users to malicious websites or perform unauthorized actions on devices. Unlike traditional phishing methods, Quishing leverages the trust people place in QR codes, which are widely used for contactless transactions, website links, and more.
Scammers tamper with legitimate QR codes, leading users to unintended destinations, often laden with malware or designed to steal sensitive information.
Some examples could be QR code stickers on a gas pump designed to look like a sign-up for a rewards card, a QR code on a table at a restaurant that takes you to a digital menu or even a QR code at a pay for parking lot or parking meter that may even ask for your financial information such as your PayPal or Venmo information.
If you haven’t heard of quishing you are not alone. Check out this story on quishing, what it is and how to protect yourself.
Taking Steps to Avoid Quishing
- Inspect the QR Code. Before scanning any QR code, take a moment to inspect its appearance. Quishing often involves placing a deceptive sticker over a legitimate code, altering the content. Look for any irregularities or signs of tampering. You may see a QR code sticker at a gas pump or at a restaurant that just seems out of place or doesn’t fit the company or establishment’s look and feel.
- Use a Secure QR Code Scanner. Opt for reputable QR code scanning apps that prioritize security. These applications typically incorporate features like code validation to ensure the authenticity of the scanned information.
- Be Wary of Unsolicited Codes. Avoid scanning QR codes from unknown or unsolicited sources. Whether it’s a flyer, email or random message, think twice before interacting with codes that appear unexpectedly.
- Update Your QR Code Scanner App. Ensure that your QR code scanning application is up to date. Developers often release updates to address security vulnerabilities and enhance protection against evolving threats like Quishing.
Identifying Quishing Scams
- Check to see if there is urgency needed on your part. Scammers want you to give up your information as quickly as possible. Often times, they will try to induce a sense of urgency so that you will give up your data without having time to think about whether or not you are being scammed.
- What information do they want from me? Check to see if there is a link leading to a site to fill out personal information. Why do they need this information? Are you giving out too much personal information just to receive a rebate, coupon or to even for a restaurant menu?
- How professional does the QR code or associated website look? Double-check the sender’s address and website content for misspellings or bad grammar. Incorrect wording paired with terrible grammar and punctuation are big red flags that you may have wandered into a scam.
What to Do If You Fall Victim
- Disconnect from the Network. If you realize you’ve scanned a compromised QR code, immediately disconnect your device from the internet to prevent further unauthorized access or data theft.
- Run a Security Scan. Use a reputable antivirus or anti-malware tool to scan your device for any potential threats. These programs will help you identify and remove malicious software that may have been installed through the quashed QR code. There are many popular options, and many providers (like HTC) will provide software to customers at no charge.
- Change Passwords and Credentials. If the compromised QR code led you to a site where you entered login credentials or sensitive information, change those passwords at once. Monitor your accounts for any unusual activity.
- Report the Incident. You should report the Quishing incident to the proper authorities and the business or organization whose QR code was tampered with. Sharing details of the scam helps raise awareness and may contribute to efforts to combat such fraudulent activities.
You can find more information from the Cybersecurity & Infrastructure Security Agency (CISA), a reputable source dedicated to enhancing the nation’s cybersecurity resilience. According to CISA, staying vigilant and adopting secure practices is crucial in protecting oneself from QR code scams like Quishing.
While QR codes have undoubtedly simplified many aspects of our lives, it’s essential to remain cautious in their usage. By understanding the threat of Quishing and implementing preventive measures, we can navigate the digital landscape with confidence and security.
