What is Quishing?
In the ever-evolving landscape of the digital age, new terms and trends continuously emerge. One such phenomenon that has gained prominence recently is "quishing." While it may sound like a playful term, quishing is anything but harmless. It refers to a combination of "QR" and "phishing". It is a cunning tactic cybercriminals employ to trick individuals into divulging sensitive information or falling victim to various online scams after scanning a QR code. In this article, we will delve into the world of quishing and provide effective ways to protect yourself from becoming a victim.
Scanning a quick response, or QR code, is quick and easy and became popular during the COVID-19 pandemic when people were trying to avoid touching surfaces and being contactless (e.g., restaurant menus).
What Is Quishing?
Quishing is a form of social engineering attack (phishing) that leverages QR codes to deceive individuals into downloading malware or revealing confidential information, such as login credentials, financial details, or personal identification numbers (PINs) after scanning a QR code. The term "quishing" is derived from "QR" and "phishing," as cybercriminals attempt to convince their targets to scan a QR code (like deactivating a compromised account) by following fraudulent instructions.
Common Scenarios of Quishing
Account Deactivation Scams: Cybercriminals impersonate legitimate organizations, such as banks or social media platforms, and claim that the victim's account is compromised. They then provide a QR code, phone number, or link to a fraudulent website where victims are asked to input their account credentials, essentially handing them over to the attackers.
Prize or Sweepstakes Scams: Fraudsters contact individuals, informing them that they've won a substantial prize or lottery. To claim their winnings, victims are asked to scan a QR code and provide sensitive information or pay fees upfront, only never to receive any prize.
Tax and Government Scams: In these quishing scenarios, scammers impersonate government agencies, claiming that the victim owes unpaid taxes, student loan debt relief, or has committed a legal violation (parking tickets with QR codes to pay fines online or over the phone). Victims are threatened with fines or arrest unless they provide personal details or make immediate payments.
What happens when you scan harmful QR codes?
- You can be directed to a phishing website where cybercriminals can try to steal your identity.
- Your device could become infected with malware. QR codes can be configured to automatically download content to your devices, such as malware, ransomware, or trojans. These infections track you, steal your personal data, encrypt your device, and even spy on you.
- Could send emails from your accounts, monitor your social media accounts, and access payment sites. Scammers can use your accounts to phish and damage your reputation.
Ways to Avoid Quishing
Preview the link before accessing it: Before directing you to the intended page, your phone will tell you the destination of the QR code. Check to be sure it is safe. If the address is shortened or unreadable, be extra cautious. Verify the identity of the page by using official contact information obtained from the organization's website or official documents. Never trust the information provided in the QR code itself. Secure sites will use HTTPS.
Don't Share Personal Information: Never share personal or financial information to a site navigated to from a QR code unless you are absolutely certain of the legitimacy. Legitimate organizations will not ask for sensitive information through QR codes.
Are you scanning the original QR code: Be careful of QR codes in public places or the mail. A public QR or one you receive in the mail or email could have been placed there easily by scammers, or they can alter the legitimate one. Fraudsters sometimes place a fake QR code over an original one, so you scan theirs instead. Be sure you are scanning the correct one.
Don't download an app from a QR code: Use the app store for your device, and don't download apps from a company's website unless you know it is their app because you have verified by calling them.
Enable Two-Factor Authentication (2FA)\Multi-Factor Authentication (MFA): Implement 2FA\MFA wherever possible. This adds an extra layer of security to your online accounts, making it significantly harder for cybercriminals to access your accounts even if they have your login credentials.
Educate Yourself and Others: Stay informed about the latest scams and phishing tactics. Educate yourself and your family, especially elderly or less tech-savvy individuals, about the risks of quishing and how to recognize and avoid such scams.
Use Call Blocking and Filtering: Many smartphones have built-in features or third-party apps that can help you block and filter suspicious calls and text messages. Utilize these tools to reduce the chances of falling victim to quishing.
What do I do if you scan a fake QR code?
- Change your passwords and enable 2FA\MFA on accounts.
- Disconnect Wi-Fi and cellular network connections. If a malicious file is involved, it will do less damage without an internet connection.
- Backup your important files like images and papers. Cybercriminals try to steal or encrypt those and ransom you to reclaim access.
- Set up fraud alerts on your cards. Notify credit bureaus as soon as possible. Fraud alerts and credit freezes make it more difficult for criminals to open credit cards and commit loan fraud.
Published on October 02, 2023