When it comes to cyber threats, you might find yourself wondering, “What will be next?” Quishing is a term used to describe a relatively new type of attack designed to cause chaos and commit fraud. And what’s the delivery method? Scannable QR codes.
Keep reading to learn more about quishing, what it is, and how it works. We also cover some famous real-life examples and how to detect a QR code scam. Plus, you’ll learn what to do if you fall victim and how to protect yourself from this type of scam.
What is quishing?
A quick response (QR) code is a variant of the traditional bar code used to store information. In recent years, QR codes have become popular due to their ability to be scanned by smartphone cameras and utilized in apps.
QR codes can be programmed to open URLs, making it easier for users to visit websites and log in to accounts without having to type web addresses. But, inevitably, this technology has been hijacked by cybercriminals.
How to keep up with all kinds of phishing
QR phishing, also known as “quishing,” is a new type of phishing attack where hackers use QR codes to redirect victims to malicious websites so they can infect their devices with malware or ransomware.
The goal of quishing is to steal information like login credentials, credit card numbers, or personally identifiable information for identity theft, fraud, or other nefarious purposes.
Is QR code phishing on the rise?
The ease of use associated with QR codes has prompted attackers to increasingly target victims through QR scams. Researchers predict that by 2025, roughly 99.5 million people will use their phones to scan QR codes, opening the door to even more scams.
Another reason this type of scam is on the rise is that QR codes often sneak through email security protections without being detected as fraudulent.
Why QR codes bypass email defenses
Most email gateways have built-in security measures to scan texts and links in messages to warn you of potential phishing or malware. But for QR codes, there’s no visible URL to flag, so the threat often passes undetected.
The attackers also take advantage of the fact that the attack itself doesn’t happen in the email client’s security layer but in the browser on your mobile device. Not to mention, combining QR codes with URL shorteners and lookalike domains can make it more difficult to determine the true destination of a QR code.
Tools like Moonlock’s Scam Detector can check the body of an email itself, looking for clues or telltale signs of a scam. In this way, it’s possible to flag a malicious QR code email without the need to scan the code. Try Moonlock free for 7 days and see for yourself.
How a quishing scam works
Quishing scams work by ensnaring victims to scan QR codes or click malicious links via email. Here’s how the scenario works.
1. The quishing email is sent
In some cases, hackers will send you a quishing email with a QR code and urge you to scan it to receive a free gift, collect a prize, or respond to a problem. Often, a scammer will pretend to be from a legitimate source to gain the victim’s trust.
2. The user scans the QR code
A user receives an email and quickly reads it without realizing it is a scam. The user then scans the QR code with their mobile device.
3. The user lands on a fake site
The QR code opens a web browser leading to a malicious website where the user enters personal information or their device is infected with malware (possibly spyware or ransomware).
4. The scammer wins
The scammer has now stolen your login credentials, along with any other information you entered. They may have infected your device, which they can now control or use to steal your additional information.
Real-life examples of quishing scams
The number of ways a scammer could fool you is unlimited. However, be on the lookout for a couple of common real-life quishing scams like the following.
Netflix quishing scams
You get an email that looks like it’s from Netflix. It has the Netflix logo, along with the signature red color. The content says, “Your account has been suspended.” Before you turn on your TV to check to see if Netflix is working fine, you scan the QR code. The page you land on looks sort of like Netflix, and it asks you to log in to fix your account.
The problem is, you aren’t really on Netflix. You are on a fraudulent website. If you enter your username and password, the information will go straight to the scammers.
This common ploy is how hackers get ahold of Netflix accounts. They then lock the owner out by changing the password and then sell your account on the dark web.
FedEx quishing scams
Another compelling quishing attack starts with an email claiming to be from FedEx. The email states that the target’s package is being held at a shipping facility due to an incorrect mailing address. If the recipient has any packages on the way, they may panic and scan the QR code and visit the website.
The website that appears, however, is fraudulent. It has nothing to do with any actual deliveries and is designed solely to steal information or money. Any information the user enters in the hopes of ensuring delivery goes straight to the attacker.
How to detect a QR code scam
Knowing how to detect a quishing scam is half the battle. Use these signs below to watch out for scams and avoid being caught.
Unsolicited QR codes
If you receive “too good to be true” offers or urgent emails that contain QR codes, do not scan them. Great offers don’t just walk through the door. Anyone offering you something unsolicited is probably a scammer.
Scan suspicious emails with Moonlock
Before clicking on a link, downloading an attachment, or scanning the QR code, use Moonlock’s Scam Detector to analyze the message for signs of a scam, like urgency, social engineering tactics, or suspicious phrasing.
Here’s how to get started:
- Sign up for a 7-day free trial of Moonlock and open the Scam Detector.
- Copy and paste the suspicious message into the tool.
- Click “Check” and let Moonlock flag any telltale signs of a scam.
If the probability of a scam is high, Moonlock will guide you through exactly what to do next so you can respond with confidence.
Check and revoke any suspicious third-party app permissions
A quishing attack doesn’t stop at stealing your credentials. It might grant rogue third-party apps access to your accounts. Go to your iPhone’s Settings, navigate to Privacy & Security, and carefully review any apps you don’t recognize in each permission category.
Review active login sessions on affected accounts
If you entered your credentials on a fake site, you might already be logged in on the attacker’s device. You’ll need to check the accounts individually. To review your active login sessions on your iPhone, go to Settings, then your name. Scroll down to see a list of devices you’re logged in on. Make sure you sign out of any unrecognized sessions.
Strange sources
Check to verify where the email came from. If, for example, an email claims to be from FedEx but the email address is a Gmail account, let that be a warning to you.
Poor grammar
Check the spelling and grammar on any supposedly urgent emails you receive. A legitimate source would never send you an email riddled with misspellings. Additionally, scammers sometimes use domain names with slightly misspelled words, with the hope that it’s close enough to pass for the real thing (for example, Netflick instead of Netflix). Carefully examine everything.
What to do if you fall victim to quishing
If you fall victim to quishing, don’t panic. You are not alone. Many people have fallen victim to online scams. If it happens to you, follow the steps below as quickly as possible:
- Immediately change your password for the potentially compromised account.
- Contact the company (e.g., Netflix, FedEx, etc.) and notify them of the fraud.
- Report the fraud to your local police and/or the Federal Trade Commission.
- Keep a close eye on your bank and credit card accounts. Get a copy of your credit report and look for unusual activity.
How to protect yourself from a QR code phishing scam
Quishing is just another type of scam perpetrated by hackers looking for free money. Use the tips below to stay safe from quishing and other types of scams.
- Use Moonlock’s Scam Detector: Copy and paste the message into the Scam Detector to get a rating of its safety and legitimacy.
- Never click links or scan QR codes in suspicious emails. If you get an email that alarms you, don’t click or scan anything. Instead, calmly contact the company by visiting their website and verifying anything you find in the email.
- Preview the URL before tapping: When scanning a QR code, look over the URL preview to get an idea of where it’s taking you. Watch out for misspellings, added hyphens, or unfamiliar domain names.
- Use your Phone’s built-in camera scanner: Avoid third-party QR code scanners. Your iPhone’s native camera app is more trustworthy and shows a URL preview before opening anything.
- Enable MFA: Use 2FA and MFA on all your accounts to limit the damage if your credentials are stolen, as an attacker won’t be able to access the authentication codes.
- Verify through official channels instead of scanning: If a communication raises a red flag or strikes you as suspicious, go straight to the source. If it’s your bank, mail delivery service, or social media, visit the site. If the message is legitimate, you’ll likely find a notification there.
- Always use long, strong passwords. In addition to using strong passwords, never give your login credentials out to strangers or use them on websites without first verifying the URL.
- Never download from an unsafe site. Don’t download free software or use QR codes to get sample programs. They could be laced with malware.
Scammers will never quit, so it is imperative that you educate yourself on the various ways they might try to trick you. Always be on the lookout for scams. By taking a few extra minutes to verify everything, you can avoid a lot of headaches later.
