What is Quishing? How to Protect Yourself

QR codes are everywhere these days! Whether looking up a restaurant menu or scanning a code to play a game with friends, it’s not uncommon to pull out your smartphone and scan a QR code. Unfortunately, this useful tool has been exploited by cybercriminals. Just like phishing attempts try to get you to click on malicious links so that cyber attackers can steal your personal information, a new type of scam called “quishing” tries to get you to open dangerous QR codes. Protecting yourself from quishing requires knowledge and care. Let’s make sure you’re safe from this newer type of cyber attack! First, let’s take a look at situations in which QR codes are used correctly. Legitimate businesses use QR codes for a variety of purposes, most of which are perfectly safe. With so many legitimate uses of QR codes, it makes sense why scammers would realize the opportunity they have to get people to scan malicious, dangerous codes. When a cyber attacker creates a quishing attack, they create a fake QR code that leads to a phishing site. A famous example is the use of QR codes on parking meters . After all, many municipalities use QR codes so that people can pay their parking fees online, rather than with change or a credit card at the meter. Scammers take advantage of this by placing a sticker on a parking meter with a fraudulent QR code on it. When you scan the code, you are greeted by a website that says it is the parking company or the city. If you trust what you’re looking at, you simply input your information, including your name, email address, contact information, and credit card information. Unfortunately, you haven’t just paid an illegitimate parking company, but you have also handed over your credit card information to a cyber-criminal. Plus, you’re not actually parked legally, which means you may receive a ticket or have your car towed for non-payment. How frustrating! These fake QR codes often look legitimate, especially if they are mimicking the websites of real companies. It can be difficult for even the most savvy smartphone users to spot some of these phishing sites! In addition to tricking you to input payment information into a fake website, quishing scammers will also try to do the following: Although it’s normal to encounter QR codes that are printed or shared in public spaces, you could also receive an email that includes a QR code. The email will tell you to “simply grab your smartphone and scan this QR code for more information!” These are often fraudulent. Most email providers identify scams by recognizing signs of questionable URLs and attachments. However, QR codes can be embedded as plain images, which helps scammers bypass those security measures. Often, the email will come from a phishing account that looks like a familiar sender, but it is really from the scammer. Your curiosity may prompt you to open the QR code using your phone. Alternatively, the email may apply pressure by warning that your account will be locked if you don’t take action right away. Regardless, there are very few reasons why a legitimate sender would need to have you open an email and then scan an included QR code with your smart device. As you can tell, quishing scams can cause a lot of damage! Like other forms of hacking, falling victim to quishing can lead to significant financial losses, issues proving your identity, damage to your credit, and both professional and personal ramifications. Take these steps to protect yourself from these scams: If you find that you have fallen for a quishing scam, don’t panic. It is important to take some intentional steps to protect your finances, identity, and data. Panicking doesn’t help! Your first step will be to change any passwords and security PINs that you entered after scanning the code. Scammers won’t waste any time; they will immediately try to access your accounts using the credentials you provided. If you haven’t already enabled two-factor authentication, do that right away for as many sites and apps as possible. They will also use the same email, username, and password credentials to try to access accounts that you are likely to have: major banks, credit card companies, and online retailers. This is why it’s always a good idea to use different passwords for your accounts – it makes it harder for hackers to use your credentials to access multiple sites. Your next step is to contact your bank if you entered any financial information. You may also choose to shut down any credit or debit accounts that you used to pay for something at the QR website. Report any possible signs of fraudulent activity on your accounts. Finally, scan your device immediately (and again later) for any signs of malware, spyware, and viruses. Malicious sites you accessed via QR code could have downloaded something to your phone without your knowledge. Run a deep virus scan using security software and remove anything suspicious. Additionally, you can sign up for credit monitoring if the scammers managed to harvest a lot of personal information, such as your social security number, full name, birth date, and credit card information. If the quishing scam pretended to be a legitimate business, whether that is a bank, a retailer, or even a parking company, contact that entity and let them know. They track the scam reports they receive and will use the information to warn others.