Quishing: watch out for fraudulent QR codes

28/02/2023

Cybercriminals are always one step ahead, looking for different ways of stealing money from their victims. This new post in the Protect yourself against fraud” series Abre en ventana nuevawill help you spot the signs of fraud and take action.

A QR (quick response) code is an advanced barcode that you can scan using a QR reader on your mobile phone to access information. It may be a link to a website, an app, concert tickets saved as a PDF file, a restaurant menu, train tickets in PKPASS format, a WiFi password, a location or contact details.

QR codes were invented in the 1990s in Japan and have become hugely popular since the pandemic as a way of reducing physical contact with everything from vaccination certificates and restaurant menus to street furniture. But they’ve not gone unnoticed by cybercriminals who can trick you with malicious links. What techniques do they use? Here are some real-life examples from the last few months.

  • Traffic fines containing QR codes leading to a fake payment website from which cybercriminals then take your money.
  • Inverted QR codes, a type of scam used to pay the bill in restaurants. The scammers present a QR code that is seemingly linked to their own bank, but is in fact a request for money or a means of obtaining the victim’s personal data and bank details.
  • Used together with other techniques such as installing malware or using fake websites (web spoofing) to obtain personal data.
  • Stickers placed on top of genuine QR codes in shops.

Quishing, short for “QR phishing”, is when QR codes are manipulated to trick victims into opening malicious links or applications to obtain their personal data.

What can you do to detect and prevent this type of fraud? The main way of preventing it involves trying to identify where a QR code is taking you.

  • A web address starting with https, while not entirely foolproof, provides a basic level of security and protection.
  • Be alert and check that the link or URL doesn’t look suspicious before you open it. “Expand” any shortened links to check they are genuine or don’t open them.
  • If a website asks for personal data, access it directly using the full URL or through its own application.
  • If you are a business owner, check the QR codes you provide to your customers to make sure they haven’t been altered or falsified.
  • Use applications that allow you to see a link before you open it. On iOS devices you can do this directly via the camera (though you need to enable this functionality). On Android devices you can use the pre-installed Google Lens app or other dedicated apps available in the Play Store.

Did you find this information useful?