QR codes have become an essential tool in many sectors. We see them on restaurant menus, on gym machines that inform us how to use them, on tickets to concerts or other events... This technology streamlines some processes and provides us with information easily. But, unfortunately, cybercriminals are taking advantage of their increasingly widespread use to try to steal our data. In this post, we tell you how they do this through quishing.
Most of us have gotten used to seeing QR codes everywhere. In the wake of the COVID-19 pandemic, many establishments began implementing them to minimize physical contact, and given their effectiveness, they ended up sticking around forever. However, we must be careful what we scan with our phones, as we could be facing a scam attempt.
When fake QR codes are used, we commonly refer to quishing, a form of phishing that attempts to trick users into stealing personal or banking information. QR codes typically redirect us to malicious websites or may automatically download fraudulent files. To lure people in, cybercriminals place the codes on restaurant tables or next to messages that encourage scanning. Therefore, you need to be careful even if you think you're in a safe place.
Examples of quishing attacks
There are many different methods a scammer can use to convince us to scan a QR code. Below, we'll list the most common ones so you're aware:
-
Fraudulent emails. Typically, they'll claim to be from a bank or company you're supposedly a customer of and ask you to scan a code to "verify your account" or something similar.
-
Fake QR codes in public places. They're placed in restaurants, parking lots, or on promotional posters to redirect to malicious websites. We've become so accustomed to seeing them that they rarely raise suspicions.
-
Text messages or social media. They send a QR code with a tempting offer or a supposed problem with a personal account.
These are just a few examples, but there are many ways to trick us into scanning a QR code. Whenever you do this, be sure to check that the page you're redirected to is official and avoid entering private information even if requested. If your phone downloads a file when scanning, delete it immediately and don't open or install anything, as it could be malware infecting your device.
How do you know if a QR code is harmless?
Under no circumstances should you scan a QR code from a dubious source. If you find one on the street, ignore it. You may be curious, but it's better to keep your doubts than have your information stolen. Whenever you scan a QR code, make sure it's from a known and reliable source. If you're in a bar and unsure whether the code is real or has been added by someone outside the establishment, it's best to ask the staff. If you're suspicious, ask for a physical menu or search for it on Google Maps or the establishment's website, for example.
Most often, before redirecting you to the page, your smartphone will show you the URL in question. Some devices are able to detect whether the website is secure or not. In other cases, you'll have to be the one to check this yourself to avoid visiting fraudulent sites. If none of this raises your alarm, but you notice suspicious activity when you visit the page, leave as soon as possible and don't enter any personal or financial information if requested.
