NetworkTigers discusses quishing and how to avoid being scammed by quishers.
You can officially add the word “quishing” to the ever-growing list of cyber threats individuals must be wary of.
While “phishing” should be familiar to anyone with even cursory knowledge of cyber scams, quishing combines the tried and true strategy of tricking victims into clicking malicious links with the now ubiquitous QR code.
While not new, the use of QR codes rose significantly during the COVID-19 pandemic as hands-free or touchless protocols saw menus, booklets, and pamphlets replaced with digital versions meant to be viewed on personal devices.
From restaurant menus to gas station pumps and product labels, QR codes are a quick and easy way for companies and brands to direct viewers to a website or platform of their choosing by just opening their phone’s camera and clicking a button. This makes them ideal for effortless customer conversion and advertising.
However, criminals can also use this strategy to steal login credentials or fool unsuspecting people into downloading malware or exposing themselves to identity theft.
How quishing works
Quishing may sound brand new, but it’s been around long enough for the FBI to warn about it in January 2022.
The tactic sees threat actors either manipulating existing QR codes or creating entirely new ones that, instead of ushering visitors to a legitimate website or product page, land them on a malicious site that may ask for sensitive information and login credentials or initiate the download of malware or spyware.
Like phishing attacks, QR codes can be sent to victims via email or text. Microsoft security notifications have been a favored vector for this kind of attack. However, they may also appear on pamphlets or brochures that are distributed physically.
Threat actors can also make QR codes as decals and apply them over legitimate ones. Combined with a spoofed landing page, this tactic is particularly troublesome, as a poster or sign from a trusted company may be hosting a dangerous replacement QR code created by a criminal.
In September of 2023, threat actors were found to be sticking fake QR codes to parking meters in Charlotte, North Carolina, prompting an advisory from law enforcement. Those who used the fraudulent codes found fraudulent charges on their credit cards.
This method can also be employed in spaces with public wifi you can connect to via a QR code. Replacing the code with a malicious one can result in a victim connecting to a network controlled by hackers, who can monitor internet usage and intercept data.
While scam emails and texts are still often rife with misspellings or other oddities that raise red flags for those who look closely, it’s simply impossible to determine whether a QR code is legitimate at first glance.
How to stay safe from quishing scams
Inspect messaging associated with any QR codes you receive. If you receive a QR code in an email or text, practice the same diligence you would with any other potentially dangerous message. Check for typos, misspellings, unfamiliar senders, or other typical giveaways. As with most scams, quishing attempts often employ a sense of urgency. This can be a time-sensitive offer, a survey that needs to be completed quickly to receive a gift, or a warning that your account has been hacked.
Maintain skepticism. Do your best to verify the legitimacy of a QR code before scanning. If the QR code is in a public space, it may be best to avoid it. If you can, physically inspect the code to see if it is printed on the sign, poster, booklet, etc., that it’s on or appears to be a decal applied after the fact. Any indication that the code was not a part of the original message could mean it has been tampered with.
Use two-factor authentication. Keeping up with security and password best practices can put a blocker between a hacker and your data if you happen to fall for a quishing scam. Quishing is a game of opportunity for criminals, gaining in popularity because it’s such a frictionless way for victims to fall into the trap. If an obstacle appears between them and their goal, they will likely wait for a less protected “softer” target.
Take a close look at the URL. Be diligent and check the URL any QR code leads to for any misspellings or bizarre words and letters that wouldn’t be associated with where you expect it to take you.
Beware of shortened URLs. If you inspect a QR code’s URL and find that you can’t look closely at it because it’s been shortened, the safest option is to assume it’s dangerous. Most legitimate sources won’t use URL shorteners.
Use a secure QR code scanner. Secure QR code scanners analyze the information in a QR code. They can determine if the links embedded in them lead to a safe URL or one that has been impersonated. Naturally, only use QR scanners from reputable developers, lest you open yourself up to another layer of risk.
Ask for a printed menu. While not always available, many restaurants offer printed menus to those who ask for them.
Avoid scanning QR codes altogether. The best way to prevent a quishing attack is to avoid scanning QR codes altogether. While this may not be possible 100% of the time, especially with so many businesses opting to forgo printed material altogether, skipping the scan wherever possible limits your risk.
Report any scams you notice. If you encounter a QR code you suspect is fraudulent, notify the company being spoofed or any others who may be tempted to check it out. Notify authorities via the Internet Crime Complaint Center, providing as much detail as possible.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com
