No one asked for a sequel to phishing, but it looks like we got one anyway – and it’s called, of all things, quishing. What the heck is quishing? Well, it’s all in the portmanteau.
Phishing, for the (blissfully) uninitiated, is the scammy practice of contacting someone under the guise of a reputable organization in order to “fish” for private, sensitive, or valuable information (think passwords and bank account numbers). While phishers usually cast their lines via text or email, quishing uses QR codes to lure in victims for the same devious information-seeking purposes. So, basically, phishing plus QR codes equals quishing. Fortunately, you plus a little help from Spokeo equals a lot more quishing protection.
A Refresher on QR Codes
Every quishing attack starts with a QR code, so let’s refresh on what exactly QR codes are. You know those weird, pixelated blocky images you scan with your phone camera to get the food menu at a bougie restaurant? That’s a QR code.
“QR” here stands for “Quick Response.” Much like an old-school barcode scanned at the grocery store checkout line, these two-dimensional, black-and-white squares contain data that you can view by scanning the image with your phone’s camera. Typically, that data is a URL linking you to a website (in the restaurant example, the link opens a web-hosted version of the menu, complete with $7 lattes).
As we learn how quishing operates, it’ll be clear that QR codes aren’t just a boon for easily sharing everything from menus to public safety announcements to advertisements, they’re also a boon for scam artists – particularly phishers.
The reasoning for that is twofold: Unlike traditional barcodes, which require a proprietary laser to be read, QR codes can be read by just about anyone with a smartphone, and they’re an exceptionally easy way to drive people to websites. With quishing, scammers take full advantage of that easy accessibility to victims.
So what is quishing? Here’s how it goes down.
What Is Quishing?
In a phishing attack, scammers usually send an email or a text message to their potential victims, typically posing as a trusted company or organization, like a retailer or a governmental department. In that initial contact, they’ll include a website link and give the victim a reason to click it – like, “you have a refund waiting at this link,” “click here to view your invoice,” or “your IRS balance has been updated, please login here.”
These links will lead to a fraudulent website that harvests the user’s personal information either by prompting them to enter more details, putting them in touch with a con artist posing as a reputable representative in order to personally gather those details in conversation, or by using malware that will infect the user’s device.
With quishing, the result – the unwitting or unwillful disclosure of personal information – is the same, but cybercriminals use a QR code to initiate the scam. Unlike a traditional URL, victims don’t see the link until they’ve actually scanned the code with their smartphone. Scammers take full advantage of that sneakiness.
Real QR Codes, Real Scams
While quishing codes themselves are fully functional, that doesn’t mean they’re official. QR codes often have an air of legitimacy, as they’re much more widely used by businesses and official organizations than they are by individuals. But the thing is, literally anybody can create a QR code, and often for free (test it yourself by typing “QR code generator” into Google). Cybercriminals need only type their phony website’s URL into a QR code generator and, bingo, they’ve got an official-looking QR code ready to lure you in.
Charles Wertz, Information Security Officer at the University of Colorado, says, “The QR codes are very real. It’s the destination that may cause the problem, which is why I think QR codes are dangerous right now. Generally, these codes work, but a cybercriminal’s intent is to have an unsuspecting person scan the code and be taken to a fraudulent website.”
Quishing Attack Examples
Just like their phishing predecessors, quishing attacks come in a virtually endless variety of flavors. While they all begin by scanning a QR code, the malicious site can be just about anything; as long as it’s capable of harvesting your sensitive (preferably financial) info in some way, it fits the bill. Of course, some quishing attacks are more common than others, including these fraudulent faves:
- The fake parking ticket. Since QR codes act as printable web links that are way easier than typing in a long and nonsensical URL, this version of the scam uses fake “parking tickets” placed on car windshields. The “tickets” prompt victims to scan the code to pay the ticket, but the payment details you enter at the faux payment website definitely aren’t going to your local DMV. The Better Business Bureau points to this one as especially common.
- The phony payment method. Legit QR codes can often be an easy way to pay small businesses – just scan the code to be taken to their payment portal. That ease of use is also why con artists love to print QR codes that’ll take you to a fake portal to pay them instead. Look out for these in public places, like parking meters and telephone posts advertising what look like charities.
- The code over the code. This one’s really sneaky. Sometimes, swindlers will place a sticker of their quishing QR code over a legitimate QR code, without the knowledge of the legit code’s owners.
- The in-email QR code. Sometimes phishers will put QR codes in emails to make their phishing attempts look more believable. For example, look out for the “there was a problem with your order” email from what looks like an official retailer prompting you to scan a quishy QR code.
How to Dodge Quishing
Quishing truly is the child of phishing, and the rotten apple didn’t fall too far from the tree. The good news is, though, that just like phishing, quishing is totally preventable if you know the tell-tale signs to sidestep and the red flags to look out for.
That said, there is at least one safety measure very unique to quishing, and it starts with your QR code reader. Avoid downloading third-party QR code readers from app stores on your smartphone. In some cases, these QR code scanner apps contain malware themselves. Play it safe by using your phone camera’s built-in code reader instead.
Beyond that, you can outsmart quishing (and by association, oftentimes outsmart phishing, too) with a few sensible guidelines in mind:
- Whenever possible, don’t scan QR codes unless you are absolutely certain that they’re provided by the official source that they claim to represent.
- Make sure any QR code you scan hasn’t been tampered with. Check for frayed or folded edges or other indicators that someone has placed a QR code sticker over an existing QR code. This may indicate that a scammer has covered a legitimate QR code with a quishing attempt.
- Take a look at the URL. When you scan a QR code, you’ll see a preview of the URL, which you tap to open a website. Make sure that URL doesn’t look fishy – or phishy. AT&T, PayPal, Microsoft, DHL, and the IRS are among the most commonly used brands in phishing attacks; if a URL claiming to be from one of them, for instance, clearly doesn’t lead to their official site, don’t click it.
- If you do scan a QR code to navigate to a website, use extreme caution before entering any sort of personal private information. Again, be completely certain that it’s a trusted site before entering things like credit or debit card numbers, Social Security numbers, bank account info, or routing information.
- Never download apps from QR codes. Stick to official app stores, like Google Play or Apple’s App Store, to avoid phishing malware.
- Steer away from making regular payments, like phone bills or subscriptions, using a QR code. While these aren’t always a scam, you do open yourself up to more potential quishing attacks the more QR codes you scan. Pay from a trusted URL (save it to your favorites to be sure) from your phone or PC instead.
- Exercise extra caution with crypto-related QR codes. This segment quickly became a favorite of phishers, and now quishers love it, too. Whether in investing or just shopping, always remember that if it seems too good to be true, it probably is.
If you’re unsure about the validity of a QR code you see out and about or one you’ve received via email, contact the company that the code claims to come from. In most cases, they’ll be happy to let you know if the code is for real, or if you’ve just dodged a quishing landmine.
Squish Quishers With Spokeo
Even if you don’t know a URL from a UPC, consider Spokeo’s People Search as your final line of defense against quishing and phishing alike. Received a QR code by email and you’re just not sure about it? Use our Reverse Email Lookup to search millions of records for email matches and instantly find out the real owner’s details, contact info, and digital footprint. If that email address isn’t associated with the source it claims to represent, congratulations – you’ve just dodged a quishing attack, with a little help from Spokeo.
As a freelance writer, small business owner, and consultant with more than a decade of experience, Dan has been fortunate enough to collaborate with leading brands including Microsoft, Fortune, Verizon, Discover, Office Depot, The Motley Fool, and more. He currently resides in Dallas, TX.