Quishing is the QR code scam you need to watch out for
- Banks and regulators have warned of the growing risk of quishing
- A type of phishing that uses fraudulent QR codes to steal information
- These malicious links aren’t easily recognized by users or email scanners
It’s not just suspicious links you need to watch out for in your email inbox: QR code phishing – or “quishing” – is becoming an increasingly common threat, with fraudulent codes designed to slip through security systems and fool you into surrendering your financial information.
A number of UK banks, together with the UK National Cyber Security Centre and US Federal Trade Commission, have recently warned of the dangers of these increasingly sophisticated quishing scams.
In a quishing attack, a QR code is usually sent as an attachment to an email. The email will appear to be from a legitimate source, such as a lender. When you scan the code, it will direct you to a malicious link. This will usually ask you to submit personal details, but it could also attempt to install malware or even capture an MFA token to bypass your login credentials.
What’s more, quishing attacks have now spread into the real world. Earlier this year, the RAC warned motorists of fraudulent QR codes being stuck to parking machines. When scanned, these would link users to a website that aims to steal the details and payment information of someone who believes they’re paying for parking.
These attacks have increased since the pandemic, when the use of QR codes ballooned. As a hands-free way to access everything from menus to medical forms, QR codes became a familiar and apparently trustworthy way to access information and services.
Gone quishing
Like a classic phishing scam, quishing aims to fool you into believing that you’ve been sent the link from a legitimate source. The email will usually appear to be from a bank or email provider, asking you to confirm your details to ‘secure’ your account. The scam will use a fake website that mimics the real thing to fool you into believing it’s legitimate.
Because the content of a QR code isn’t immediately visible from looking at the code alone, it’s difficult to check if one is legitimate. What’s more, these codes often slip past cyber security tools, which aren’t easily able to verify whether an attached code is genuine.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
Scammers also find increasingly advanced ways to hide their scams from security tools. In addition to hijacking legitimate email accounts, some QR code scams use genuine personal information harvested from sites such as LinkedIn to personalize emails to appear relevant to an individual. Domain redirection is often used to bounce users through several URLs, which prevents email scanners from detecting the true malicious link behind the QR code.
A similar version of the scam, featured in a report from Perception Point, sends users to me-QR.com, a legitimate website for making QR codes. Once there, the service scans a second QR code, which leads to a malicious landing page hosted on SharePoint, Microsoft’s web-based collaboration platform.
We’ve written in depth about the evolution of phishing attacks and how to stay safe from quishing attacks. In May, McAfee – the security software company – ran a survey that found more than 20% of online scams in the UK probably involved QR codes. With lenders and regulators now raising concerns, quishing is definitely the next big thing in online scams.
You might also like
Banks and regulators have warned of the growing risk of quishing A type of phishing that uses fraudulent QR codes to steal information These malicious links aren’t easily recognized by users or email scanners It’s not just suspicious links you need to watch out for in your email inbox: QR…
Recent Posts
- This tablet has a genius feature I want every vendor to copy: a second USB-C port that allows you to display content on an external screen
- Trump picks two nominees who could decide the fate of Big Tech and crypto
- Nokia’s classic Snake game is now a Nothing widget
- Hackers are building bespoke Mac malware using GenAI
- The free-to-play My First Gran Turismo comes to PS4 and PS5 on December 6
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011