QR code phishing (quishing) definition
QR code phishing (also known as quishing) is a social engineering attack that uses a QR code to trick people into giving their personal data like financial details or login information.
QR code phishing examples
- In China, scammers placed fake QR code parking tickets on illegally parked cars with instructions on how to pay via a mobile app.
- In the Netherlands, a QR code scam faked a legitimate feature of a well-known bank’s mobile banking app. Users who had sold things in the past were targeted, receiving a QR code to supposedly scan to “confirm the payment.” The QR linked all the users’ account information to the scammers’ devices.
Preventing QR code phishing
- Think before you scan. Ask yourself if you know who put the QR code there and if you trust it. If something feels off, don’t scan it.
- Inspect the QR code link. On iOS, you can open the associated link in a web browser. Inspect that link before proceeding to the site — if the domain doesn’t match the organization it claims to be from, something’s not right.
- Check for tampering: In public places, be cautious of QR codes that might have been tampered with or placed over official ones. Sometimes attackers will stick fake QR codes on top of legitimate ones, leading you to malicious sites.
- Use multi-factor authentication (MFA): Even if you mistakenly scan a phishing QR code and it leads to a malicious login page, enabling MFA can prevent unauthorized access to your accounts.
