Quishing, also known as QR phishing, is a cybersecurity threat that uses malicious QR codes to redirect users to harmful websites and trick them into downloading dangerous content on their devices. As with other phishing attacks, the main goal of quishing attacks is to steal sensitive information like credentials or financial information or to install malicious software on users' devices.

The reason why quishing has become so common is that QR codes have become increasingly popular over the past few years, and are now used almost everywhere, from making digital payments to accessing information. In a quishing attack, hackers first create a QR code that looks just like a regular one but contains code that directs you to a malicious website when you scan it. Once you visit the website, it can download malware onto your device, access important data, or even redirect payments that are meant for someone else.

What makes quishing attacks so difficult to block is that it is practically impossible to identify harmful QR codes from useful ones without scanning them. Unscrupulous agents often place these QR codes where someone may easily scan them, such as airports, parks, malls, etc. Additionally, QR codes appear as meaningless images on secure email gateways, quishing attacks can bypass these security measures.

Quishing attacks may also involve multiple devices, which poses another security concern and makes it hard to prevent them. For instance, hackers may send malicious QR codes to users who may view them on one device, such as their computer, and then scan the code using a different device, like their phone.

Consequences of a quishing attack

Due to the very nature of quishing attacks, it is often too late before you find out that you've been a victim of such an attack. Here is what happens when a quishing attack takes place.

  • You may be redirected to a phishing website: When you scan a malicious QR code, it may redirect you to a website that appears similar to what you are expecting. The website is designed in this manner to convince you that it is safe to provide your personal information there, like credentials and financial information like your credit card number.
  • A malware attack may take place: QR codes may contain Trojans, ransomware, or malware, which will automatically download and install on your device as soon as you scan the code. Once the malware is installed on your phone, it can allow hackers to install other harmful software on it, steal your personal data, and even track your activities.
  • Hackers may get control of your social media accounts: Another effect of a quishing attack is that it can allow hackers to get access to your social media accounts. Scanning a malicious QR code may install software on your device that can send messages from your social media accounts like Instagram, Facebook, WhatsApp, etc. to other people.

Protecting yourself from quishing attacks

Identifying malicious QR codes is undoubtedly very difficult but there are still ways by which you can protect yourself from quishing attacks.

Be wary of unsolicited QR codes

If you find QR codes in unsolicited messages or emails or where you do not expect them, proceed with caution, especially if the messages require some action on your part. While email clients work fairly well in identifying such emails, some of them may still end up in your inbox. In any case, avoid scanning the QR codes in such messages and emails.

Check for accompanying explanation or context

Legitimate QR codes usually have some accompanying text that explains their purpose, which can help you decide whether to scan them or not. Check whether the code has such an explanation accompanying it. If there is no accompanying text and you are not sure that the code is from a trusted source, avoid scanning it.

When you scan a QR code, your device will first show you a preview of the URL. If you find the link to be shortened and cannot see where it will take you, it is best to avoid it. Additionally, checking the security protocol is a good idea, as most secure websites use HTTPS while unsecured ones usually use HTTP.

Check the source

If possible, find out the source of the QR Code and verify it. Look for the sender's contact information and email address, and if you find them, check for spelling errors, weird domain names, or other telltale signs that can tell you whether the source is credible. If you cannot contact the sender through proper channels, chances are that the QR Code is designed for malicious purposes.

Check the destination website

If you've already scanned the QR code and opened the website, the first thing to do is to check the page that opens. If you find low-resolution images, poor language use, spelling and grammar errors, etc. it is likely a phishing website. You may also find that the website content tries to create a sense of urgency and requires you to perform some action immediately. These are all signs that it is not a trustworthy website and you should close it.

Be careful when sharing personal information

When you scan a QR code and any page asks you to enter your personal information, think carefully before doing so. Check the complete URL of the page properly and the logo of the business sending the code. It is a good idea to manually type the URL into your browser instead of relying on the link sent through the QR Code. If you have the slightest doubt, do not enter your personal details on the page.

Turn on two-factor authentication

Turning on two-factor authentication for your accounts can help you avoid a lot of trouble as it will prevent anyone else from accessing them. In situations where you've already scanned a malicious QR code and a hacker has obtained your credentials, they will still not be able to access your account if two-factor authentication is enabled. Furthermore, this will alert you if someone is trying to access your account and you can take the required action to protect it.

Avoid downloading apps using QR codes

If you want to download an app on your smartphone, always do it from the official source, such as the Google Play Store or Apple App Store. Avoid downloading and installing apps from URLs you get through QR codes, as that can increase the chances of you accidentally downloading malware onto your device.

Use antivirus apps

Security programs like antivirus apps are designed to automatically block malicious webpages and harmful downloads. Unless you intentionally disable such apps or choose to ignore their warnings, they can protect you from quishing attacks effectively. Such apps can also scan your device and let you know whether it has been infected with malware and suggest steps as to how you can get rid of it.

Rely on the built-in scanner on your device

If you need to scan a QR code quickly, you may often look for an online scanner or download a third-party QR code scanner app for the purpose. However, such apps and websites are often designed by hackers and can lead to quishing attacks, so it is best to avoid using them. You should only use the QR code scanner that is built into your phone's camera to scan codes for maximum security.

Things to know

  • If you're at an offline store and need to scan a QR code, check with the store owner or manager that it is the right code before scanning it for additional security.
  • Similarly, if you need to make payments by scanning a QR code, verify with the person sharing the code that the recipient's name is correct.
  • Keep your device and apps updated to ensure they have the latest security patches that can keep your data safe.
  • Always keep yourself up to date regarding the latest safety practices so far as QR codes are concerned.