- Banks and regulators have warned of the growing risk of quishing
- A type of phishing that uses fraudulent QR codes to steal information
- These malicious links are not easily recognized by users or email analyzers.
Not only should you be wary of suspicious links in your email inbox, QR code phishing (or “quishing”) is becoming an increasingly common threat, with fraudulent codes designed to bypass security systems. and trick you into handing over your financial information.
Several UK banks, along with the UK National Cyber Security Center and the US Federal Trade Commission, have recently warned about the dangers of these increasingly sophisticated scams.
In a quishing attack, a QR code is typically sent as an attachment to an email. The email will appear to come from a legitimate source, such as a lender. When you scan the code, it will direct you to a malicious link. Typically this will ask you to submit personal data, but it could also try to install malware or even capture an MFA token to bypass your login credentials.
What's more, quishing attacks have now spread to the real world. Earlier this year, the RAC warned motorists about fraudulent QR codes stuck on parking machines. When scanned, these would link users to a website that aims to steal the details and payment information of someone it believes is paying for parking.
These attacks have increased since the pandemic, when the use of QR codes skyrocketed. As a hands-free way to access everything from menus to medical forms, QR codes became a familiar and seemingly reliable way to access information and services.
gone quishing
Just like a classic phishing scam, quishing aims to trick you into believing you received the link from a legitimate source. The email will usually appear to be from a bank or email provider and will ask you to confirm your details to “secure” your account. The scam will use a fake Website that imitates the real site to trick you into thinking it is legitimate.
Because the content of a QR code is not immediately visible by looking at the code alone, it is difficult to verify if one is legitimate. What's more, these codes often go undetected by cybersecurity tools, which cannot easily verify whether an attached code is genuine.
Scammers are also finding increasingly advanced ways to hide their scams from security tools. In addition to hijacking legitimate email accounts, some QR code scams use genuine personal information collected from sites like LinkedIn to personalize emails to make them appear relevant to an individual. Domain redirection is often used to bounce users through multiple URLs, preventing email scanners from detecting the true malicious link behind the QR code.
We have written in depth about the evolution of phishing attacks and how to stay safe from quishing attacks. In May, McAfee, the security software company, conducted a survey that found that more than 20% of online scams in the UK were likely to involve QR codes. With lenders and regulators now raising concerns, quishing is definitely the next big thing in online scams.