What is Quishing? How to protect yourself from QR code phishing

In an era of QR codes, cybercriminals employ a scheme called ‘quishing’ to deceive individuals and direct them to malicious websites. Read on to learn more about this deception, the various forms of QR code phishing, and how to protect yourself from such attacks.

What is Quishing?

Quishing is a type of cyber attack that involves the use of QR codes to deceive individuals into visiting malicious websites or disclosing sensitive information. This attack exploits the trust and convenience associated with QR codes to trick victims. Quishing can also be known as QR code phishing, QR code spoofing, or QRishing.

How do QR code phishing attacks work?

A typical quishing or QR code phishing attack has five key stages:

1. Distribution: Attackers create fraudulent QR codes and distribute them through various means, such as printing them on flyers, posters, or labels, or by sharing them digitally via emails, SMS, or social media.
2. Deception: The fraudulent QR codes are usually designed to appear legitimate and may promise enticing offers, discounts, or services to entice potential victims.
3. Scanning: Victims encounter the QR code and use their mobile devices, equipped with QR code reader apps, to scan it.
4. Redirection: Upon scanning the QR code, the victim's device is directed to a malicious website that is under the control of the attackers. This website typically mimics a trusted or well-known site.
5. Data theft: The fake website may prompt the victim to enter sensitive information, such as login credentials, personal details, or financial information, by posing as a legitimate source requesting the provided information.

Types of quishing attacks

QR phishing attacks or QRishing can take various forms, and attackers use different tactics to deceive victims. Here are some examples:

1. Fake product discounts: Attackers distribute QR codes promising substantial discounts on popular products or services. When scanned, the QR code redirects users to a fake website where they are asked to provide personal information and payment details. The promised discount never materializes.
2. Phony event tickets: Scammers create QR codes for events that don't exist or tickets that they don't possess. Unsuspecting victims scan the code, believing they are purchasing tickets, only to lose money and have their personal data stolen.
3. Job offer scams: Attackers may send fake job offers via email or social media with a QR code for the job application. When scanned, the code takes the user to a phishing page requesting personal and financial information.
4. Banking and financial scams: Attackers may send QR codes that appear to be from a user's bank, claiming to link to important account information. Scanning the code redirects the user to a fake banking website designed to steal login credentials and financial information.
5. Cryptocurrency scams: Scammers create deceptive QR codes and distribute them through various channels, such as emails, social media, or even physical stickers. Unsuspecting victims scan these codes, believing they are initiating legitimate cryptocurrency transactions, but in reality, they end up sending their funds to the scammer’s wallet.
6. Charitable donation scams: Scammers distribute QR codes claiming to be for charitable donations. When scanned, the code takes users to a fraudulent donation page that captures their payment details.
7. Parcel delivery scams: Scammers send QR codes in emails or texts claiming to be tracking information for a parcel delivery. When the recipient scans the code, it redirects to a fake website that seeks personal information or delivers malware .
8. COVID-19 scams: During the COVID-19 pandemic, scammers used QR codes in phishing attacks. They sent QR codes in emails or messages, claiming to link to information about COVID-19 vaccines or safety guidelines. Scanning the QR code led to fraudulent websites seeking personal information or spreading malware.
9. Restaurant and menu scams: After QR code usage increased during and after the COVID-19 pandemic, attackers distributed QR codes on fake restaurant menus. When scanned, these codes redirected to malicious websites that attempted to install malware or steal personal information.

These are just some examples of QR phishing attacks. QR codes are convenient tools, but they can be exploited by cybercriminals to trick individuals into revealing sensitive information or falling victim to various scams. It's crucial to be cautious when scanning QR codes, especially those received from unverified or unsolicited sources, and to verify their legitimacy before taking any action.

Real world examples of quishing scams

Chinese quishing attack targeted bank accounts

In 2022, a QR phishing campaign emerged in China, where scammers impersonated the Chinese Ministry of Finance. They sent deceptive emails, luring users into believing they could apply for a new government grant. The ruse involved prompting users to scan a QR code embedded in an attached document using a mobile messaging and payment app like WeChat. Hackers often opt for QR codes because they are challenging to detect through technical security measures. Additionally, mobile devices, which are typically used for such actions, can be less secure than computers. Once the code was scanned, users were directed to a webpage where they were prompted to provide extensive information about their credit cards and bank accounts.

Pay-to-park kiosks and parking ticket scams in the US

In a case from Texas , cybercriminals affixed counterfeit QR code stickers to pay-to-park kiosks, leading drivers to believe they could use them for parking payments. When scanning these codes, drivers were directed to a fraudulent website where they entered their credit card information, inadvertently disclosing their confidential data to hackers. A similar incident occurred in February 2022 in Atlanta when drivers discovered fake parking tickets featuring QR codes on their vehicles, purportedly for fine payment. After the issue was uncovered, local authorities cautioned that Atlanta does not employ QR codes on their parking tickets.

What is QRLJacking?

A related concept to quishing is that of QRLJacking. Quick Response Login (QRL) is an authentication method which uses QR codes for logging into websites, apps, or digital services. Users scan the QR code on the login screen with their smartphone, either granting direct access or initiating secondary authentication for multi-factor setups.

However, hackers can exploit QRL as follows:

• They begin a client-side QR session on the target website or app.
• They clone the legitimate QR code, redirecting it to their server.
• They embed this manipulated QR in a fake login page resembling the original.
• The fake login page link is distributed via email or other channels, prompting users to click and scan the QR code.
• If multi-factor authentication isn't active, scanning the QR code grants the attacker access.

Signs of quishing attacks – what to look out for

QR phishing often bypasses malware detectors and email filters because it hides QR codes in emails or attached documents with non-suspicious extensions. This obscurity, combined with emotional manipulation or social engineering , prompts victims to scan malicious QR codes for fraudulent purposes. Watch out for these signs of QR phishing:

• Unusual sources: Be cautious if you receive QR codes from unexpected or unsolicited sources, especially in emails or messages from unknown senders.
• Mismatched domain: Check if the QR code redirects to a different domain or website than the one it claims to represent. This can be a sign of phishing.
• Grammar and spelling: Poor grammar and spelling in accompanying messages or instructions may indicate a phishing attempt.
• Urgent requests: Be wary of QR codes that come with urgent requests for immediate action, such as threats or promises of rewards.
• Multiple authentication steps: Authentic QR code logins typically involve one-time scans. If you are prompted for additional information or steps, it could be a phishing attempt.
• Overly personal info: Requests for highly personal information, such as Social Security numbers or extensive financial details, can be red flags.
• Unusual permissions: When prompted to grant extensive permissions to a mobile app after scanning a QR code, exercise caution and investigate further.

QR phishing tactics vary, so vigilance and caution are essential to avoid falling victim to these scams.

How to protect yourself from quishing

To protect yourself from QR phishing attacks, follow these guidelines:

1. Source verification: Always verify the source of a QR code before scanning, especially if it's from an unknown sender.
2. Be skeptical of unsolicited QR codes: Exercise caution when encountering unsolicited QR codes in emails, text messages, or physical materials.
3. Check for spelling and grammar errors: Scrutinize promotional materials for spelling and grammar mistakes, which are common in scam communications.
4. Examine the destination URL: Before scanning, ensure the destination URL matches the expected source and appears legitimate, without suspicious or misspelled elements.
5. Inspect the landing page: After scanning, carefully examine the landing page's content and design. Legitimate pages are more likely to appear professional and error-free.
6. Beware of immediate information requests: Be cautious if the landing page immediately requests sensitive information like login credentials or payment details. Legitimate services typically don't request this upfront.
7. Verify special offers or discounts: Independently verify offers promised by QR codes with the official website or the company itself. If something seems suspicious or too good to be true, trust your instincts and avoid scanning the QR code.
8. Look for HTTPS: Check for a secure connection (HTTPS) on the redirected website. The S stands for ‘secure’ and indicates the website has an up-to-date security certificate.
9. Use two-factor authentication (FA): Enable FA for your online accounts to add an extra layer of security in case your credentials are compromised.
10. Report suspicious activity: Report suspected QR phishing attacks to relevant authorities, your organization's IT department, or your email service provider.
11. Educate yourself and others: Stay updated on cybersecurity news and threats to recognize potential risks. Share knowledge about QR phishing and other online threats with friends and family to collectively enhance online security.
12. Keep up to date: Ensure your mobile device's operating system and apps are regularly updated with the latest security patches to reduce the risk of falling victim to such attacks.
13. Install security software: Protect your devices with up-to-date security software like Kaspersky Premium , which blocks malicious websites and defends against a range of online threats. Kaspersky Premium comes with unlimited VPN for added privacy to secure your internet connection, and Password Manager to generate and store strong, unique passwords.

By following these tips and staying vigilant, you can significantly reduce the risk of falling victim to QR phishing attacks and other online scams. Prioritizing online security is essential in today's digital world where the use of QR codes is widespread.

FAQs about quishing and QR code phishing attacks

What is quishing?

Quishing involves cyber criminals using QR codes to lead individuals to fake websites, lure them into providing personal or financial information, or trick them into downloading malicious content. Quishing can also be known as QR code phishing, QR code spoofing, or QRishing.

Related products:

• Kaspersky Premium
• Kaspersky VPN Secure Connection
• Kaspersky Password Manager

Related articles:

• What is ransomware as a service?
• How to avoid password spraying attacks
• What can hackers do with your email address?
• What is phishing?