You’re probably familiar with the small, square, black and white codes that you scan, known as QR codes. These practical graphics are widely used as they allow you to quickly obtain further information on your smartphone and log in to user accounts. But as is so often the case, dangers lurk behind these little squares too. That’s because cybercriminals are increasingly using quishing as a QR code scam. Read on to learn what quishing is, how it works, and the what the impacts are of a successful attack. Also discover how you can surf more safely and protect your privacy with Avira Free Security’s built-in phishing protection.
Your 101 guide to QR codes
QR stands for “quick response” — those little 2D codes that contain a lot of information in a very small space. You often see them on flyers and posters, but QR codes are also increasingly being used as a means of verification on airline and concert tickets.
The focus is on user convenience. With little effort, you receive key information or are taken directly to a specific web page. All you need is a smartphone with a camera. But convenience also makes things easier for cybercriminals. For example, hackers can hide a malicious link or ransomware behind that innocent-looking QR code. This form of phishing using QR codes is known in professional circles as quishing.
What is quishing?
Quishing is a security threat on the internet, by which cybercriminals aim to obtain personal and confidential information as well as financial data. The stolen data is then abused for other criminal activities, scams, and identity theft.
Quishing is like a traditional phishing attempt. With phishing, potential victims receive an email or text containing a link to a malicious website. Alternatively, ransomware is installed on their computer via a file attachment. With quishing, the forwarding is not done using a traditional text link but via a QR code.
The danger: Because the link is hidden behind an image and doesn’t appear in the text, quishing is harder to detect as a threat. Even email security systems rarely raise a red flag because they recognize the QR code as a harmless image.
How does quishing work?
Criminals create their own QR code that directs potential victims to a malicious website. These QR codes are used offline and online to trick victims using social engineering techniques. Whether traditional flyers, posters, or via social media and email, always have security top of mind and be careful when scanning QR codes.
To scan the QR code with your smartphone, you’ll need to use either a special app or simply your camera. Your smartphone then interprets the QR code and redirects you to the target URL hidden behind the code. Your browser will open and the page is loaded. This is where the danger lurks: Text-based phishing links are easy to spot, especially when you see them in an email. With quishing, though, it’s unclear from the QR code whether it’s malicious. Also, you can’t verify the link by right-clicking the image.
What happens when you scan fake QR codes?
The consequences of quishing are similar to those of a successful phishing attack. Unsuspecting users are either redirected to a fake website or malware is installed on their device.
- Malicious link: With this tried-and-tested method, the scanned QR code leads to a website that doesn’t look suspect on the surface as it might be based on a site you know. The aim is for you to log in and have your login data intercepted once you do.
- Malware: Simply by visiting the site, malicious software is downloaded and installed on your device. This software can paralyze, lock, or sit there snooping on your system. This gives cybercriminals access to your computer and your sensitive data and documents.
How do you spot quishing attacks?
First of all: It’s impossible to tell from a QR code whether it’s legitimate or malicious. The arbitrary black boxes on a white background are absolutely meaningless without an appropriate scanner. However, the context and surrounding factors give you some clues as to whether the code is legitimate or part of a QR code phishing attempt.
- As part of an email: As with regular phishing, check the email for spelling and grammatical errors. Does the sender’s email address seem legitimate? Artificial urgency as well as emotional blackmail and manipulation are also a sign of quishing and online fraud.
- On posters/flyers: Very few people expect to see online fraud on posters and flyers. Check the QR code carefully at events. If it’s obviously been taped over, never scan it. When it comes to flyers, it’s important to pay attention to where they came from: Are they just lying around or did they originate from a legitimate source?
How can you protect yourself from quishing?
Basically: Whether it’s a text-based link or a QR code, always be cautious — especially if you don’t know where it came from. Don’t accept the message at face value if you’re not expecting it. The origin of the message as well as how it’s structured and what it says provide clues as to whether it’s a legitimate request or quishing.
- Check the URL: Most apps display the URL behind a QR code before opening it. If it seems suspicious or is disguised by a service like bit.ly, be wary. Learn how to check website security to make sure the site is trustworthy.
- Check the sender: Who created the QR code? Do you know the person or company? Were you expecting the code, for example as part of registering for a service?
- Handle your data with care: Be careful with your personal information. Consider the risks as not every site and service needs your sensitive information, so check if there are any alternatives that don’t ask for it.
- Avoid downloads: If you don’t know the source or it seems fishy, never download anything from the linked website.
- Additional authentication: Turn on two-factor authentication (2FA) or multi-factor authentication (MFA) for important accounts containing sensitive information. This also means you’re well protected if third parties gain unauthorized access to your login information, including your password.
Shield yourself from quishing with Avira Free Security’s phishing protection feature.
Unsure if a QR image and the associated link are legitimate? Cybercriminals are getting better and better at disguising their scams. With Avira Free Security’s phishing protection feature, you can spot malicious links in real time.
The tool stops infected pop-ups from opening, identifies phishing websites, and prevents browser hijacking. It also detects unwanted applications in your downloads and alerts you immediately.