What is quishing? Understanding QR code phishing scams

Whenever new technology emerges, a new way of scamming people pops up along with it. One of these recent threats is quishing — a form of phishing that uses QR codes to trick people. QR codes are used across multiple industries and have an array of uses: a way to pay for your dinner, view a menu, or listen to an audio guide at a museum. So naturally, we've gotten extremely used to them, and cybercriminals were quick to use that trust for their own gains. So let's explore what quishing is, how it works, its potential dangers, and how to protect yourself from it.

Aurelija Andriekutė

Dec 12, 2024

8 min read

What is quishing?

Quishing definition

Quishing is a cyberattack that combines traditional phishing techniques with QR code technology. The term is a blend of "QR code" and "phishing."

Criminals embed malicious URLs in QR codes. Scanning this QR code may take you to malware-ridden websites or fake sites designed to trick you into revealing sensitive information.

How does quishing work?

Quishing attacks exploit the trust and convenience that we associate with QR codes — most of us are now trained to think twice before clicking an unknown link. But QR codes are a different story. Here’s how quishing works:

1.Attackers create a QR code. Attackers generate a QR code embedded with a malicious URL or programmed to perform a harmful action when scanned.
2.Attackers distribute the QR code. Attackers can send the malicious QR code out digitally through emails or social media posts, or they can distribute it physically by printing out posters, flyers, and stickers. Sometimes, an attacker may stick their malicious QR code over legitimate ones in public places.
3.Attackers used tactics to entice victims. Accompanying the QR code is a call to action or a short, compelling message, prompting users to scan it. The text could claim the code provides a special offer, offers access to an exciting app available for download, or contains useful information you can't get anywhere else (a menu, audioguide, or map).
4.The victim scans the QR code. An unsuspecting user scans the QR code using their smartphone or tablet, expecting to receive the promised content or service.
5.Attackers execute the attack. The QR code usually redirects the victim to a fake website or initiates a malware download.
6.Attackers exploit the collected data and conduct further attacks. The attackers use the harvested data and infected devices for identity theft, financial fraud, or more advanced phishing attacks.

What are the risks of quishing?

Depending on what the malicious QR code was programmed to do, quishing could lead to a number of problems:

1.Data theft. If the user enters their information into a fake website the QR code takes them to, the attackers may steal their accounts and other data, including usernames, passwords, and credit card details. This data can be used for cyber extortion and fraud or sold on the dark web.
2.Malware infection. Once scanned, some QR codes start automatically downloading malware to your device. It could be a number of malicious programs — spyware that monitors your internet activity, ransomware that locks you out until a ransom is paid, or a trojan that gives the attackers access to your device.
3.Financial loss. If you enter your financial details into a fake website or download spyware, cybercriminals can steal that information and make unauthorized transactions from your credit card, drain bank accounts, or commit other forms of financial fraud.
4.Reputational damage. For businesses, a successful quishing attack can result in customer data leaks, which can lead to loss of customer trust, negative publicity, and even legal consequences.
5.Privacy violations. Personal photos, messages, and other private information stored on your phone can be used for doxxing and blackmail.

Examples of quishing attacks

QR codes are such an integral part of our lives, some people may not even realize they’re scanning them every day:

Fake parking meter QR codes

Scammers are known to place fake QR codes on parking meters. Drivers scan the code, intending to pay for parking, but are redirected to a malicious website that captures their payment information.

Covid-19 contact tracing

During the height of the Covid-19 pandemic, QR codes were widely used for contact tracing. Cybercriminals took advantage by creating fake QR codes that directed users to phishing sites designed to look like health forms. These forms asked victims to enter personal information, which the hackers then stole.

Email-based QR code phishing

Employees receive emails, supposedly from their company's IT department, asking them to scan a QR code to reset their passwords because of a security update. Scanning the code leads the user to a fake login page that steals their credentials. This attack combines phishing emails with QR codes to bypass security filters that usually detect malicious links.

What should you do if you fall victim to a quishing attack?

Falling for a quishing attack could have serious consequences, so it’s important to act immediately:

Disconnect your device from the internet to stop further data transmission to the attacker and stop any ongoing malicious activity.
Do not give away any more information than you already did. If you start receiving calls, emails, and texts — don’t engage.
Use a reputable anti-malware software and run a full scan to detect and remove any malware you may have installed.
Identify which accounts may be at risk and change all compromised passwords. Set up two-factor authentication for extra security.
If you suspect that your financial information has been compromised, review your bank statement and credit card activity and notify your bank.
If your work device or account was compromised in a quishing attack, notify your IT department as soon as possible.

How to prevent quishing attacks

Protecting yourself from quishing scams involves a combination of vigilance, healthy skepticism, and security tools.

Be wary of unknown QR codes
- Only scan QR codes from trusted sources. Be careful with codes you find in unsolicited emails or social media posts.
- Before scanning a public code, check if the malicious code stickers were placed over legitimate QR codes.
Use secure QR code scanners
- Use specialized QR scanning apps that allow you to preview the URL before opening it. They will help you decide whether the link is legitimate.
- Choose apps that offer built-in security checks.
Check the URL carefully
- After scanning, analyze the URL. Look for misspellings, an odd domain name, or suspicious extensions.
- Be cautious if the QR code leads to a shortened URL — it may be used to hide the destination.
Keep your devices updated
- Regularly update your smartphone's operating system and apps to patch security vulnerabilities.
Use security software
- Get NordVPN and set up Threat Protection on your smartphone. It will help you avoid known malicious domains and phishing websites.
Secure your accounts
- Use strong passwords and make them impossible to guess. Avoid using the same ones across different accounts.
- Activate two-factor authentication to prevent unauthorized access, even if your credentials are stolen.
Limit app permissions
- Restrict QR scanning apps from accessing unnecessary data or functions on your device.
Be skeptical and informed
- Be cautious of QR codes that promise unrealistic rewards and discounts or have urgent calls to action.
- Keep up to date with the latest quishing tactics and share this knowledge with friends and family.
- Err on the side of caution — if something feels off about a QR code or the context in which it's presented, don’t scan it at all.