What is Quishing and How to Avoid It
Phishing
We’ve all seen QR codes – those little square, black-and-white barcodes that you point your smartphone camera at in order to scan – and they’ve become more and more common in recent years. During the height of the pandemic, many restaurants opted to use QR codes in place of their traditional, physical menus in order to avoid the spread of germs. Savvier business people have begun adding a QR code on their business cards that links directly to their website instead of simply listing the link address as they once did. There are even ads on TV which have now become interactive thanks to QR codes – when we see an advertisement with one of these codes for products that interest us, we can go ahead and buy it right there in that moment by scanning the code from the comfort of our own living room!
The use of QR codes goes on to include coupons, scanning to pay, getting the chance to enter into giveaways, and more. It is apparent that QR codes have been adopted by many sectors and are in fact here to stay. What one might not consider before scanning one of these codes is the idea that the link they see after scanning is not what they believe it to be before opening their camera app. However, this is exactly what happens when malicious actors carry out the attack known as quishing, or QR phishing.
In a quishing attack, a cybercriminal will make an unsuspecting person believe that they will be met with one outcome when they scan the QR code, only to have them be met by a malicious, fake website on the other end, resulting in malware infecting the person’s smartphone. Unfortunately, QR codes are an easy target for hackers because, unlike the traditional HTML link which shows the name of the website, a QR code is just a square barcode that doesn’t look much different from one to the next; the person scanning the code does not know for sure if it is legitimate or not until the link has already been scanned. Take these steps in order to avoid falling victim to a malicious quishing attempt.
Verify links and report suspicions – Before scanning a QR code, verify its legitimacy with the company or individual sharing it with you. If you scan a code and are met with a website that appears to be unrelated to the purpose which you initially scanned the code for in the first place, exit the webpage immediately. If you scan a QR code in-person and are met with this result, report it to the business so that they are made aware.
Check the URL – A quishing scam might not always be apparent immediately after you scan the code; some quishing attacks result in the scanner landing on a website that closely resembles that which they were aiming to get to, but it is in fact a false page set up to look like a legitimate one. After scanning a QR code, be sure to look at the URL link and see that it is what you were trying to reach. If something seems off, close the site immediately.
Find another way – If for some reason you are unable to verify the legitimacy of a QR code by speaking with someone or the URL you are met with seems odd, find an alternative way to get to this link’s destination. Either ask for the website address that you are trying to reach from someone close by or Google what you are aiming to find.
Turn off the QR code scanning feature on your phone – QR codes are quite common and many are useful; however, if you find that you rarely or never scan a QR code and you want to avoid accidentally scanning a malicious one, you can disable the QR code scanning feature from your smartphone altogether.
Image by storyset for Freepik.
