QR codes are everywhere; we use them to read the menu at a restaurant, pay for our parking, sign up to a newsletter or sign in to our streaming service. However, the popularity of QR codes now means that scammers are taking advantage. Quishing, or QR phishing, is where victims are convinced into scanning a fraudulent QR code, and provide their details to the phisher.
How does QR phishing work?
This is a very simple scam, and it starts with the phisher creating a fraudulent QR code that links to a website that they have created. The website is created with the placement of the QR code in mind; for example, a phisher planning to place a QR code at a bar might have a clone of the bar’s website. Then the QR code can be printed onto a sticker and placed anywhere in the real world, from a bench to a lamppost to a restaurant menu, or somewhere online like on a website, or social media page.
There’s very little way to tell from looking at a QR code where it is going to take you, and as such the victim ends up on a website that looks something like the website that they expected, and enters their information. They then find themselves subscribed to something, having paid for a service they don’t need, or having sent their personal information away to the phisher who can then sell this information on or use it for further scams.
Social engineering, and QR phishing
Social engineering is a way of exploiting a victims’ natural responses in order to extort something from them, such as their personal information or access to a building or account. A person who is carrying a ladder and wearing a high vis vest, for example, might be able to socially engineer their way into a building without the necessary identification, because people assume that they are there to work.
QR phishing also uses a kind of social engineering. People who are scanning QR codes are often looking to move through a process quickly; paying for parking, for example, is something that you might need to do on the way to somewhere else. Scammers can exploit this natural inclination, by creating a website that looks similar to the one the victim was expecting, and then having them provide their details or sign up to a subscription.
Keeping yourself safe from QR phishers
When you come across a QR code out in the world, look for signs of tampering before you scan, and where possible, access the website you need by searching for it manually. You should never scan a random QR code that you come across; remember, this is exactly the same as seeing a random website scrawled on the side of a wall and deciding to visit it. Sometimes just accessing a website can result in malware being installed on your devices.
The same goes for QR codes that you might find online. Where possible, access the website you’re looking for yourself; that way you can be sure that you’re accessing something that is legitimate. If you receive a QR code randomly, either through email or through social media, do not scan the code (particularly if something in the email or the post implies that there is any kind of time limit). Keep yourself, and your devices safe, and send that QR code to Junk.
