‘Quishing’ is a relatively new form of cyber scam, which is based on the familiar ‘phishing’ technique but instead uses fake QR codes to trick victims into disclosing confidential details to waiting cyber criminals.

Why are so many people falling victim to Quishing?

In recent years QR codes have become prolific both in consumer and business environments. Seen as a convenient tool to help direct people to websites and online forms, they are traditionally found on menus, public signposts, car parks and on adverts.

They are also increasingly being used in business environments with applications including business cards, in exhibitions, email signatures and in registering mobile business applications such as multifactor authentication.

The widespread use of QR codes, and the fact that most people view them as a trusted source, make them an ideal tool for cyber criminals to target unwary victims.

How does a quishing attack work?

The victim is shown a QR code in a form that appears to be from a legitimate source (somewhere they would normally expect to see a QR code).  Upon scanning using a mobile phone, the QR code takes the user to a fake website designed to capture login credentials, payment details, or personal information. Once this information is entered, it is then used by cyber criminals to defraud the victim of money or carry out a wider ranging cyber-attack.

Examples of personal Quishing attacks

Parking meter scams

QR codes are commonly used on parking meters to allow customers to quickly pay for parking using an online service.  One of the most common scams is for criminals to cover the existing QR code with a sticker for a new QR code directing users to a criminal website or a fake app which will take your card details and steal money from you. There are many examples of this including this one where the victim was defrauded of £13,000.

Restaurant menus

Since the Covid pandemic, restaurants in large spaces such as airports have used QR codes to allow customers to order and pay for food. The codes, which are often found on stickers on tables or on menus are being covered with stickers by criminals again to direct to fake websites to scam victims in a similar way to the parking meter fraud.

‘Special’ offers

Beware of any special offers advertised via a QR code.  These can often be found on social media, compromised websites or by email and text message.  These offers are often extremely generous and often limited in time to create a sense of urgency in the victim which makes them click on it without properly thinking about it. Again, it will likely redirect to a fake website which will attempt to collect personal and payment details to defraud the victim.

Examples of business attacks

Scam letters from Companies House

There have been several reports from businesses receiving letters from Companies House requesting payment for “Enhanced Web Filing”.  Whilst appearing to resemble official Companies House correspondence, the letters are in fact a scam and request the recipient follows a QR code to make a payment, which directs to a criminal website that looks very similar to the Companies House website.

Security authentication emails

As we have previously mentioned QR codes are often used genuinely as part of the setup process for multifactor authentication. Knowing this, cyber criminals have been sending out emails that appear to come from Microsoft requesting ‘reauthentication’ or similar containing a QR code. Scanning the code takes you to a fake website designed to steal your username, password and genuine multifactor code and give criminals access to your account.

Exhibitions

Business exhibitions are usually awash with QR codes which direct attendees to special offers, provide product information or details on events. Cyber criminals have been known to insert their own ‘promotional material’ into events which copies the branding of known businesses but with QR codes directing attendees to criminal websites designed to steal credentials or deploy malware to the device used to scan them.

How to protect you and your staff from QR code fraud

Employee cyber awareness training

Ensure you have a way to regularly educate staff about cyber threats, including quishing, so they know how to spot suspicious emails and QR codes. Having small amounts of easily digestible training on a monthly basis is considered best practice.

Verify any QR codes before you use them

Unless you can verify a QR code has come from a trusted source and you are expecting to receive it, do not under any circumstances scan it. Specifically, do not trust any QR codes distributed over social media.

Be VERY careful of public QR codes

Best practice is not to trust QR codes in public places.  If you must use one, check whether there is evidence of tampering, particularly if a sticker has been used. If there is a website you can verify offered as an alternative, use this instead

Follow best practice cyber security principles

By following best practice cyber security with the latest, advanced multifactor authentication, email security that specifically protects against QR code scams and having strong controls around your passwords and data, you will help reduce the chance of a quishing attack being successful.

If you are concerned that your firm may be vulnerable to quishing attacks, get in touch using the form below or consider our free security audit.