Cybersecurity

Beware of Quishing: are QR codes still safe to use?

March 15, 2024 - 4 minutes reading time

Article by Serena De Pater

QR codes are useful, but did you know they can also be dangerous? Looking for new ways to break in, hackers are increasingly turning to the QR code. This not yet well-known method of attack is called Quishing, a contraction of 'QR code' and 'phishing'. What exactly does it mean? And how can you guard against it?

A QR code, or 'Quick Response code', is a kind of digital barcode that you can easily scan with the standard camera application on your phone. It does not require a separate app. When scanned, the QR code automatically retrieves a URL, document or some other data.

What's handy about QR codes, of course, is that you don't have to manually enter a long URL in the web browser. You scan the code and you are done. QR codes are therefore found in all sorts of places:

On restaurant tables, with a link to the menu
On mobile tickets for festivals or concerts
When sharing a Wi-Fi network
During the corona pandemic, there was the "corona check app" containing a QR code
You can also easily pay with your phone by scanning a QR code

Handy, isn't it? But beware: while QR codes may seem harmless, they can be very risky. How does this work?

QR code phishing 📧🎣

'Quishing', or 'QR Code phishing', is the term for phishing attempts using QR codes. Hackers create malicious QR codes and distribute them through various channels such as e-mail, social media, advertisements or even printed materials such as posters, flyers or stickers.

Often, these are accompanied by a tempting offer, discount or other incentives to encourage users to scan them. Unsuspecting users then end up on malicious pages that mimic legitimate websites, such as a banking portal, social media or online shop. These fake sites are designed to steal users' personal information.

Quishing emails look the same as phishing emails, with the main exception being the addition of a QR code. Another common method of attack is placing a malicious QR code in public, sometimes pasted over a legitimate QR code. The QR code redirects the victim to a fake web page asking for account and login details.

QR codes are appearing in more and more places, but unfortunately they cannot always be trusted.

Where can you come across malicious QR codes?

Stickers on pay machines in car parks: Fake QR codes were stuck on parking meters disguised as 'quick pay' options. Motorists were asked to scan the code and enter credit card details, but those who did so were directed to a fake website.
Fake tickets for events, like concerts, sporting events and festivals. Scammers create fake tickets to gain entry to events such as concerts, sports matches and festivals. These fake tickets are then sold online or through social media platforms, often at heavily discounted prices.
Fake coupons: QR codes claiming to offer a discount or special offer that must be scanned with a smartphone's camera to then be applied at the checkout, when an online purchase is made from an authentic online retailer. The "You've won a subscription to Netflix" page is a social engineering attack trying to trick you into installing malicious apps, browser extensions or programmes on your computer and phone.
Charity donation requests: Malicious QR codes that direct people to a website to donate money to what appears to be a charitable organisation. However, money from unsuspecting donors is funnelled directly to the scammers.

With this in mind, how do you responsibly handle those handy little squares? A few do's and don'ts:

Do

✅ Set your phone to ask for permission before starting a QR action.

✅ Only scan QR codes if you trust the poster, restaurant or website displaying the QR code.

✅ Check the URL of the website if it asks for a password or login details after scanning a QR code. If you recognise the URL, still check that it is not 'spoofed'; look for spelling mistakes or a swapped letter.

✅ Enable automatic (security) updates for your phone.

✅ Use the built-in app on your phone to scan QR codes. Both Android and iOS devices can scan QR codes without downloading an external app.

What not to do

❌ Do not let your device automatically perform a QR code action.

❌ Do not scan a QR code posted in public spaces, such as a train station or street advertisement.

❌ Do not scan a QR code if it is printed on a label that may cover another QR code.

❌ Do not scan QR codes in e-mails or text messages.

❌ Do not use QR scanner apps released by unknown companies or institutions. Malicious parties can create a malicious scanning app and use it to spread malware or access your device.

Contributor(s)

As a security consultant, Serena de Pater specialises in vulnerability scans to identify security risks in computer systems and software. Organizations use her recommendations to help enhance their cybersecurity posture. Through writing and blogging, Serena aims to make complex security topics accessible to a wide audience.

Topics