{"id":27743,"date":"2024-08-15T14:00:01","date_gmt":"2024-08-15T22:00:01","guid":{"rendered":"https:\/\/www.spokeo.com\/compass\/?p=27743"},"modified":"2024-08-15T14:00:05","modified_gmt":"2024-08-15T22:00:05","slug":"quishing","status":"publish","type":"post","link":"https:\/\/www.spokeo.com\/compass\/quishing\/","title":{"rendered":"What Is Quishing (and How Can You Avoid It)?"},"content":{"rendered":"\n

No one asked for a sequel to phishing, but it looks like we got one anyway \u2013 and it\u2019s called, of all things, quishing.  What the heck is quishing?  Well, it\u2019s all in the portmanteau. <\/p>\n\n\n\n

Phishing, for the (blissfully) uninitiated, is the scammy practice of contacting someone under the guise of a reputable organization in order to \u201cfish\u201d for private, sensitive, or valuable information (think passwords and bank account numbers).\u00a0 While phishers usually cast their lines via text or email, quishing uses QR codes to lure in victims<\/a> for the same devious information-seeking purposes.\u00a0 So, basically, phishing plus QR codes equals quishing.\u00a0 Fortunately, you plus a little help from Spokeo equals a lot more quishing protection.\u00a0\u00a0<\/p>\n\n\n\n

A Refresher on QR Codes <\/h2>\n\n\n\n

Every quishing attack starts with a QR code<\/a>, so let\u2019s refresh on what exactly QR codes are.\u00a0 You know those weird, pixelated blocky images you scan with your phone camera to get the food menu at a bougie restaurant?\u00a0 That\u2019s a QR code.<\/p>\n\n\n\n

\u201cQR\u201d here stands for \u201cQuick Response.\u201d  Much like an old-school barcode scanned at the grocery store checkout line, these two-dimensional, black-and-white squares contain data that you can view by scanning the image with your phone\u2019s camera.  Typically, that data is a URL linking you to a website (in the restaurant example, the link opens a web-hosted version of the menu, complete with $7 lattes).  <\/p>\n\n\n\n

As we learn how quishing operates, it\u2019ll be clear that QR codes aren\u2019t just a boon for easily sharing everything from menus to public safety announcements to advertisements, they\u2019re also a boon for scam artists \u2013 particularly phishers.  <\/p>\n\n\n\n

The reasoning for that is twofold: Unlike traditional barcodes, which require a proprietary laser to be read, QR codes can be read by just about anyone with a smartphone, and they\u2019re an exceptionally easy way to drive people to websites.  With quishing, scammers take full advantage of that easy accessibility to victims.  <\/p>\n\n\n\n

So what is quishing?  Here\u2019s how it goes down.
<\/p>\n\n\n\n

What Is Quishing? <\/h2>\n\n\n\n

In a phishing attack, scammers usually send an email or a text message to their potential victims, typically posing as a trusted company or organization, like a retailer or a governmental department.  In that initial contact, they\u2019ll include a website link and give the victim a reason to click it \u2013 like, \u201cyou have a refund waiting at this link,\u201d \u201cclick here to view your invoice,\u201d or \u201cyour IRS balance has been updated, please login here.\u201d  <\/p>\n\n\n\n

These links will lead to a fraudulent website that harvests the user\u2019s personal information either by prompting them to enter more details, putting them in touch with a con artist posing as a reputable representative<\/a> in order to personally gather those details in conversation, or by using malware<\/a> that will infect the user\u2019s device.\u00a0\u00a0<\/p>\n\n\n\n

With quishing, the result \u2013 the unwitting or unwillful disclosure of personal information \u2013  is the same, but cybercriminals use a QR code to initiate the scam.  Unlike a traditional URL, victims don\u2019t see the link until they\u2019ve actually scanned the code with their smartphone.  Scammers take full advantage of that sneakiness.     <\/p>\n\n\n\n

Real QR Codes, Real Scams<\/h3>\n\n\n\n

While quishing codes themselves are fully functional, that doesn\u2019t mean they\u2019re official.\u00a0 QR codes often have an air of legitimacy, as they\u2019re much more widely used by businesses and official organizations than they are by individuals.\u00a0 But the thing is, literally anybody can create a QR code, and often for free (test it yourself by typing \u201cQR code generator\u201d into Google).\u00a0 Cybercriminals need only type their phony website\u2019s URL into a QR code generator and, bingo, they\u2019ve got an official-looking QR code ready to lure you in.\u00a0<\/p>\n\n\n\n

Charles Wertz, Information Security Officer at the University of Colorado<\/a>, says, \u201cThe QR codes are very real.\u00a0 It’s the destination that may cause the problem, which is why I think QR codes are dangerous right now.\u00a0 Generally, these codes work, but a cybercriminal’s intent is to have an unsuspecting person scan the code and be taken to a fraudulent website.\u201d\u00a0\u00a0<\/p>\n\n\n\n

\"man<\/figure>\n\n\n\n

Quishing Attack Examples<\/h2>\n\n\n\n

Just like their phishing predecessors, quishing attacks come in a virtually endless variety of flavors.  While they all begin by scanning a QR code, the malicious site can be just about anything; as long as it\u2019s capable of harvesting your sensitive (preferably financial) info in some way, it fits the bill.  Of course, some quishing attacks are more common than others, including these fraudulent faves: <\/p>\n\n\n\n