What is Quishing? How To Protect Yourself From QR Code Phishing

Summary

QR codes are everywhere now: from restaurant menus to public transport timetables, everyone wants you to scan their QR code. This normalization of scanning random QR codes is being taken advantage of, presenting a new cybersecurity threat calledQuishing.

What Is Quishing?

Quishing (QR codephishing) means embedding a malicious URL in a QR code. Rather than link to a legitimate site, the code will load a page that attempts to steal information, attempt to infect your device with malware, or perform some other harmful act.

It’s a silly-sounding name, but it presents a real threat. While we’re all aware that you shouldn’t visit disreputable websites or download unknown files, due to the nature of QR codes, there’s really no way of really knowing what’s on the other side of one. With a scan and a tap, you’re whisked away to a website that may display content you did not want to see, or redirected to a malicious file download.

It’s easy to be tricked into scanning a QR code, too: many businesses rely on third-party services andURL shortenersto create their QR codes, meaning that the embedded links won’t necessarily lead directly to their official websites. This makes it difficult to detect whether someone performing a quishing attack has tampered with a QR code.

Is Quishing Really a Threat?

Yes. It’s already happening, and it’s effective. QR codes for parking meters, restaurant payments and tip systems, and for fake promotions are being tampered with worldwide to perpetuate quishing scams, often by simply placing a sticker with a fraudulent QR over an existing official code. These trick codes then link to fake login pages and payment sites that either have you pay the scammer directly, or steal your information (which can be used to steal your money later, or push other scams).

How To Protect Yourself From Quishing

There are a few effective steps you can take to protect yourself from quishing:

Making a QR Code for Your Business? Make It Safe

If you’re creating a QR code for use in your business, there are a few ways you can make your customers comfortable and secure using it. First, consider whether you need a QR at all—forcing people to pull out their phones, fiddle with their camera, and wait for your website to load is much less convenient than a simple printed menu.

If a QR is vital to the experience, make sure it links directly to a page on your official business website. URL shorteners mask the intended destination, and are known to inject ads or redirect your QR to their own pages. You should also periodically check your physical QR codes and make sure no one tampers with them by placing a sticker of their own code over them to try and catch your customers in a quishing attack.

Your mobile device contains your entire digital life, so it’s important to keep it secure and utilize all the privacy features it offers. Check out ourtop 7 Android security features, and our8 iPhone privacy featuresto find out how you may better protect yourself.