You may already be familiar with phishing — a form of cybercrime in which scammers trick people into revealing personal information or logins. As technology evolves, so do the hackers’ tactics. One of the rising threats in cybersecurity in the last few years is quishing.
What is quishing?
Quishing, or QR code scams, is a phishing attack that starts by getting the victim to scan a fake QR code. After following the link, they’re lured into entering personal information. Quishing can go easily undetected to those who aren’t aware of QR code risks.
What are QR codes?
Also known as a quick response code, a QR code is a 2D barcode that contains information, usually a website URL, that can be scanned by a smartphone camera — think of it like a scannable link. Once scanned, the smartphone user can access the website or information that the barcode links to.
QR codes became popular seemingly overnight during the pandemic, when restaurants and bars switched to scannable digital menus in lieu of physical ones. Now, QR codes are used in advertising and marketing, public poster materials, dining establishments, apps, and more.
Due to their ubiquity and perceived legitimacy, QR codes can also be used by scammers posing as a business to steal information from people. And because QR codes are often used on-the-go, people typically have their guard down and are quick to click QR code links without first checking that they’re real.
Who can be targeted in a QR code scam?
Because QR codes are everywhere, quishing attacks are usually not targeted. Anyone and everyone can be susceptible to quishing. And because virtually anyone can make a QR code (and they all look the same to the human eye), these scams are on the rise.
QR code scams have been used in parking lots to mimic real QR codes used by parking apps, in emails by people posing as government agencies, and in public spaces — like on business buildings — where QR codes are often displayed on advertising. Just like a phishing email can sometimes look like the real thing, a QR code scam can be equally deceiving.
How do QR code scams work?
QR code scams work by tricking people into scanning a scam QR code disguised to look legitimate. Quishing scammers might use QR code stickers and place them over real ones, making them nearly indistinguishable at a glance.
One common quishing scam involves using fake QR codes in parking lots where people regularly scan QR codes provided by parking apps. In these scam scenarios, someone trying to pay for parking scans a fake QR code and is directed to a scam website where they are asked for their bank information or other personal details. Or they might be asked to log in to an account on a fake login page — inadvertently sending their credentials to the hackers, who can then break into the victim’s real account.
How can you protect yourself against quishing?
The best way to avoid falling for this attack is to know that a legitimate QR code should never ask for your bank account or social security number. Here are some tips to keep in mind:
- Pause before you scan. Does the QR code look real? Are there signs of tampering? Look at the QR code closely — is it in alignment? Does it look like a sticker upon further inspection? If anything looks “off,” don’t scan the code. Instead, try to access the information directly, by going to the company’s website wherever possible.
- Scan, then inspect. Once you’ve scanned a QR code, you will usually be prompted to tap or click on a link. Does the link look legitimate? Are there any signs — like an incorrect URL — that you are being sent to a fake website? Be on the lookout for misspelled words, or extra letters and numbers, that a trusted website wouldn’t have.
- Don’t enter personal information. If a QR code takes you to a website that prompts you to enter personal details right away, it’s likely a scam. Never enter your social security number, bank account information, or other sensitive data, after clicking on a QR code.
- Be cautious. If a QR code sounds like a scam, it probably is. For example, if you’ve received an email saying you’ve won a prize, with little information besides a QR code, it’s likely that you’re being quished.
- Keep your software up to date. Protect your data against scammers and hackers by making sure you’re using your device’s latest operating system.
- Create strong passwords, and change them if you know of a data breach. With a free password manager like Proton Pass, you’ll receive immediate alerts if a password is leaked, plus enhanced identity protection with end-to-end encryption, so your data is always secure.
Scan with caution and stay safe from quishing attempts
QR codes aren’t going anywhere, at least not for the foreseeable future. But you can still use them with confidence as long as you take steps to protect yourself from quishing.
Next time you’re about to scan a QR code, take a moment to look for any signs of fraud before proceeding. If something looks out-of-the-ordinary, report the QR code scam to the business or company being impersonated, as well as the Federal Trade Commission at FTC.gov/Complaint.
