Quishing: Take a moment before scanning that QR code! It could contain a harmful link

Cristina POPOV

January 24, 2024

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Quishing: Take a moment before scanning that QR code! It could contain a harmful link

Do you scan QR codes to check out a restaurant menu, on parking meters, to get a discount coupon, to connect to a business's Wi-Fi, or to find out more about a historical place?

QR codes are everywhere and have become a part of our daily lives. However, sometimes they are not what you think they are.

The Federal Trade Commission (FTC) warns that scammers are hiding harmful links in QR codes and using them in phishing attacks, a tactic known as quishing. And it's on the rise.

What is Quishing, and how does it work?

Phishing has been a longstanding method of deception, taking various forms based on digital trends. This attack aims to trick people by any means to divulge sensitive information such as usernames, passwords, and credit card details, which can then be used for further criminal activities.

Given the popularity of QR codes and, more importantly, the tendency for people to scan them without questioning their purpose, QR codes have become perfect tools for scammers.

Manipulating QR codes, scammers lead individuals to a fake website that appears legitimate. If you log in on this spoofed site, scammers can steal any information you enter.

Alternatively, the QR code might install malware that silently collects your information before you even realize it. The format of a code, rather than a link is the perfect disguise.

Did you know?

QR codes, also known as Quick Response codes were invented by Masahiro Hara, an employee of the Japanese automotive company Denso Waves, in 1994.

The company faced challenges with traditional barcodes, requiring up to 10 barcodes on a single product. This approach led to production delays as scanners struggled to read them from a single direction.

Masahiro Hara found inspiration for QR codes while playing the game Go. He realized that a similar grid-based system as the GO game board could store more information in a single code and be read from multiple directions, angles, and distances.

QR codes boomed in 2020 when the pandemic hit, and everybody avoided physical contact.

They are here to stay and, unfortunately, are also susceptible to spoofing by cybercriminals.

Where quishing tries to get you

Here are various scenarios where you might encounter a malicious QR code:

· Emails and Messages: Cybercriminals often send QR codes via emails or messages, pretending to be from legitimate sources, such as well-known companies or brands.

· Fake Promotions: Many deceptive QR codes lead you to believe you'll receive a discount or special offer.

· Physical Spaces: Fraudulent QR codes strategically placed in public spaces, on posters, or even on product packaging can catch individuals off guard.

Scammers' strategies to make you scan their malicious QR codes

Cybercriminals can get very creative in employing various cunning tactics to trick individuals into scanning their fake QR codes, ranging from covering legitimate QR codes with their own to sending convincing emails and messages.

Here are some of the ways they try to con you:

  • They say that they couldn't deliver your package and instruct you to contact them to reschedule.
  • They pretend there's an issue with your account and insist you must confirm your information.
  • They lie about detecting suspicious activity on your account and urge you to change your password.

Their messages create a sense of urgency. All they want is you to scan their code. However, you won't fall for their tricks because you know how to protect yourself.

Real story. DHL QR Code Scam?

Here's a real encounter with a suspicious QR code shared on Reddit.

"I'm trying to sell a PS4 through Facebook, and I've mostly been receiving the FedEx courier scam (the one where they ask you to get the money in cash from a courier who picks up the item), but today I got an offer from someone who wants to use DHL to pay me and pick up the item.

She claims that I can use a QR Code to get paid, and that afterwards I can bring the package to a DHL office to send it. I don't trust it fully, but I do know that DHL does have this type of service, so I'm trying to find out if it's a scam. Have you had anything like this?"

How to protect yourself

Use Scamio – the easiest and quickest method to check a QR code is with Bitdefender Scamio, a free scam detector. You can chat with it on Facebook Messenger or in your browser. Simply scan the QR code with Bitdefender Scamio, which will analyze it and provide you with the result. This way, you'll know if the QR code is malicious or not.

Other options:

  • Inspect the URL before you open it. If it looks like a familiar URL, make sure it's not spoofed by checking for misspellings or switched letters.
  • Don't scan a QR code in an email or text message you weren't expecting. To check whether the message is legitimate, contact the company by phone or through their website.
  • Protect your phone and accounts. Use capable antivirus software on your devices and protect your online accounts with strong passwords and multi-factor authentication.

If you scan a fake QR code, change your passwords to the accounts you may have given scammers access to, and monitor your accounts.



Cristina POPOV

Cristina is a freelance writer and a mother of two living in Denmark. Her 15 years experience in communication includes developing content for tv, online, mobile apps, and a chatbot.

View all posts

You might also like