quishing: an ugly word for an ugly scam

Quishing: An Ugly Word for an Ugly Scam

You might want to think twice before scanning that QR code. Turns out, hackers have been hijacking those handy squares to scam unsuspecting victims – just another thing for cybercriminals to try and ruin.

In this article, we’ll be exploring these rogue QR codes, how hackers are exploiting them, and ways to stay safe from this rising threat.

But before we start, let’s break down what makes a QR code and why they’re so easy for hackers to take advantage of.

So put that camera away and let’s get started.

What Is a QR Code?

You’ve seen them before – those square barcodes made up of black and white patterns. They’re everywhere, from cereal boxes to parking meters and even restaurant menus.

QR codes, or Quick Response codes, are essentially souped-up barcodes capable of holding a significant amount of information. When scanned with a smartphone camera, they can direct users to websites or provide users with embedded files – no typing required.

Creating a QR code is simple. Just search for a QR code generator online, attach a website URL or file link, and voilà – your QR code is ready to share.

Here’s the problem: this QR convenience is just as easy for hackers as it is for you.

Enter, quishing…

What Is Quishing?

Quishing, or QR phishing, uses QR codes to direct users to malicious websites or files in an attempt to steal valuable data. These QR codes masquerade as legitimate links, similar to traditional phishing schemes. Some examples of quishing include QR codes embedded in fake marketing emails, emails falsely notifying users about missing packages with “QR tracking”, and even physical QR codes printed and placed over parking meters, as seen in recent parking scams in Europe.

While some users may be hesitant to scan a QR code, the prevalence of these attacks is a serious concern. Barracuda 2024’s threat report reveals that that 1 in 20 inboxes faced QR-code attacks in the last quarter of 2023, meaning that, due to sheer volume, someone is bound to fall victim. This issue is so serious that even the FBI has issued warnings about quishing attacks.

As quishing schemes creep in from every corner, businesses must watch out for suspicious QR codes.

They’re Quishing Your Company

Emails are a popular vehicle for quishing attempts against businesses. Unlike traditional phishing attacks that use malicious links, standard email filtering systems are unable to scan QR codes for harmful content. This means that quishing emails can easily land directly into your employees’ inboxes.

The most dangerous emails are targeted quishing scams that use specific information about a user or company. For example, an employee might receive an email from a hacker impersonating a colleague, including a QR code directing them to a fake company website designed to steal sensitive information. Before you know it, you could be facing a data breach.

To mitigate this risk, it’s vital employees are educated about quishing, especially as these attacks continue to gain popularity.

Other Common Quishing Scams

In addition to email scams, here are some common quishing tactics followed by tips to avoid them.

  1. Wi-Fi access scams: Malicious QR codes can replace legitimate ones that offer free Wi-Fi, leading users to phishing sites.
  2. Software update scam:

    A QR code may claim to deliver a software update, but instead downloads malware.

  3. Cryptocurrency scams:

    Criminals may offer special deals for crypto via QR codes that direct users to harmful links.

  4. Donation scams:

    Scammers may impersonate charities, using QR codes on flyers or texts to solicit donations, stealing both your money and personal information.

  5. Restaurant scams:

    While some restaurants may use QR codes to direct to their menus, these can be easily swapped with fraudulent codes.

  6. Event registration scams:

    Flyers may contain QR codes for event sign-ups that direct users to malicious pages designed to harvest their information.

Unfortunately, the list goes on. Any QR code can potentially lead users into dangerous waters, so let’s talk about how you can stay safe before scanning…

A Quick Response to Safety

The easiest answer? Don’t scan unknown QR codes, especially if sensitive information – like payment information – is involved. If you encounter a physical QR code in a public place, like at a restaurant, and feel uncomfortable, ask for a physical menu instead. However, if you must scan a QR code, follow these tips:

  • Preview the link:

    When you scan a QR code, you should see a preview of the URL the QR code intends to direct you to. Make sure that this URL leads where you expect. For instance, if it leads to www.m1cros4t.com (using numbers in place of letters) instead of microsoft.com, it’s likely a scam.

  • Check for physical tampering:

    If you are forced to use a physical QR code, examine it to see if it appears to have been placed over an original. If the QR code is under lamination or part of a legitimate print, it’s likely safe to use.

  • Use trusted sources:

    If you have any doubts, download apps directly from the official Google Play or Apple App store, or search the website using your phone’s internet browser.

  • Don’t scan surprise links:

    If you receive a text or email with a QR code that you weren’t expecting, don’t scan it – especially if it urges you to act immediately.

  • Check the email:

    If an email containing a QR code comes from an address that doesn’t match the sender (e.g., a FedEx email from a non-FedEx address), it’s likely a quishing attempt.

The key is to remain skeptical. Borrowing from zero trust security: never trust, always verify. If something seems off, avoid scanning the QR code. As with all things cybersecurity, if you ever have questions, don’t hesitate to reach out to your IT team for support.

Squishing Quishing Through Cyber Awareness

Before scanning a QR code, take a moment to ask yourself: Is this a legitimate code, or am I being quished? It all comes down to cyber awareness. A moment of hesitation now can save you a lot of trouble later.

We get that cyber awareness isn’t always intuitive – there’s a lot to keep in mind, and new threats are constantly emerging. If you’re concerned about your cyber awareness, you should seriously consider partnering with a leading IT provider – like us.

The 20 MSP’s comprehensive cyber awareness program is designed to help small to medium-sized businesses like yours prioritize cybersecurity. We offer simulated phishing attacks to train your employees without the risk, along with easy-to-understand, short videos that break down the nitty gritty of cybersecurity – all at a flat rate!

Send us a message, and let’s get started!