SBN

Be Wary of Quishing

No…we’re not making up new words just for the fun of it!

You’ve probably seen QR codes popping up everywhere lately—from menus and concert tickets to parking meters and even in office emails. Just point your phone’s camera, and boom—you’re where you need to be. But lately, those little squares have been showing up in a much sneakier way, thanks to something called Quishing…it’s basically phishing, but with a QR code.

Scammers are now tricking you into scanning a sketchy link instead of clicking one in an email. You scan a code, and it takes you somewhere shady—a fake website that may look real, but is actually designed to swipe your info, or even install malware on your device. The worst part? It’s way harder to spot than traditional scams, because you can’t see where that QR code goes until it’s too late.
Be Wary of Quishing

It’s Happening Now

Here’s how these scams are making the rounds:

  • In emails: You might get a message that looks like it’s from IT, your bank, or even HR, asking you to scan a QR code to reset a password, see a document, or verify your identity. They may use the excuse of a “streamlined process” for ease.
  • In public spaces: Have you seen QR codes slapped on signs, lamp posts, parking meters and menus? Sometimes scammers cover real codes with fake ones, so you’re unknowingly sending your information to them. They may even set up a website imitating the real establishment, be it the restaurant or parking facility, to get you to submit more information or even enter your payment information.
  • Through impersonation: Scammers have gotten creative. They’re putting QR codes on fake flyers, business cards, and even pretending to be coworkers or well-known companies. They may advertise a seemingly lucrative business opportunity for their company, drawing unsuspecting targets to “apply.”

How to Keep Yourself Safe (It’s Easier Than You Think)

On the Job:

  • Double-check before you scan: If someone at work sends you a QR code, especially one tied to a login or personal info, take a second to verify it’s legit. When it comes to a request involving sensitive information in the workplace, it should ALWAYS be handled with discretion. Even if the other person is claiming it is an emergency or needed as soon as possible, take a moment to reach out to trusted internal sources.
  • Stay alert in shared spaces: If a QR code randomly shows up in the breakroom or on a printer, be suspicious. Ask around before scanning.
  • Help your team stay sharp: A heads-up can go a long way. If something in an email or posted around the office seems suspicious, help your coworkers to avoid them too. Just because you didn’t fall for it, doesn’t mean they’ll do the same! Working together to help your team have a security-first mindset helps keep a company safe.

Out in the Wild

  • Be picky about what you scan: If the code is from a sketchy source or stuck onto something like a sign or vending machine, skip them entirely. If the code appears to be from a trusted source but you are still unsure, err on the side of caution. For example, you can go directly to the real website yourself rather than using the code to take you there. When in doubt, don’t scan it!
  • Check the URL: Most phones will show a link preview after scanning. If it looks weird or off, don’t tap it. That being said, an experienced scammer may try to use a URL that appears very convincing, such as one letter off from the name of a trusted entity. In these cases, if you are unsure, the point below may come in handy.
  • Use better tools: Some QR scanner apps and mobile antivirus tools, such as Sophos Mobile Security and Kaspersky’s Secure QR Scanner, can warn you if the QR code is one that takes you to a suspicious or flat-out malicious website.

The Bottom Line

QR codes are super useful—but they’re also a new way for scammers to sneak in the back door. Quishing isn’t something to panic over, but it is something to be aware of. A second of hesitation before scanning can save you from a major headache later. Take steps to protect yourself in the workplace and out in public. Additionally, help your friends and family to be aware of this new method that scammers use, this will help raise even more awareness and protect others from falling victim to this attack vector. Want to learn more about how to spot and stop scams like quishing? Visit social-engineer.org for expert tips, tools, and resources to stay secure.

Written by
Josten Peña
Human Risk Analyst, Social-Engineer, LLC

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by Social-Engineer. Read the original post at: https://www.social-engineer.org/newsletter/be-wary-of-quishing/