For every form of communication or messaging out there, you can be sure that scammers and hackers are trying to find a way to take advantage of you—from emails to texts to calls. This threat extends to QR (quick response) codes too.
Earlier this year, we saw a QR code scam targeted at a major US energy company, for example, and security analysts are warning that these so-called quishing attacks are on the rise. Quishing is an amalgamation of “QR code” and “phishing”—where malicious actors “fish” (often over email) for private information and personal details.
If we didn’t already have enough to worry about, now we need to be on guard against quishing. The good news is that the security practices you hopefully already have in place should serve you well here too.
By now we should all be familiar with QR codes: a grid of black-and-white squares that act as a sort of hieroglyph that can be translated by the camera on your phone or another device. Most often, QR codes translate into website URLs, but they can also point to a plain text message, app listings, map addresses, and so on.
This is where the subterfuge can slip in—QR codes can point to fraudulent websites just as easily as genuine ones, and you don’t necessarily know which it’s going to be before you visit it. Scanning a QR code will typically bring up a URL that you can then follow, but it’s rarely clear at first glance just how safe that website address is.
And you don’t need anything special to create a QR code. The tools are widely available and straightforward to use, and putting together a QR code of your own isn’t much more difficult than scanning one. If you wanted to create a QR code that points to a website that’s been put together for malicious purposes, it would only take a couple of minutes. The QR code could then be stuck on a wall, attached to an email, or printed on a document, ready to be scanned.
The aims of these websites are the same as they’ve always been: to get you to download something that will compromise the security of your accounts or your devices, or to get you to enter some login credentials that will then be relayed straight to the hackers (most probably using a spoof site set up to look like something genuine and trustworthy). The intended end results are the same as ever, but the method of getting there is different.
The security precautions you should already be using are the same ones that will keep you protected against QR code hacking. Just as you would with emails or instant messages, don’t trust QR codes if you’re not sure where they’ve come from—perhaps attached to suspicious-looking emails or on websites that you can’t verify. The QR code on the menu in your local restaurant, in contrast, is highly unlikely to have been generated by hackers.
Of course, there’s always the chance that the accounts of your friends, family, and colleagues have been compromised, so you can never be 100 percent sure that a message with a QR code in it is genuine. Scams will usually try to imply a sense of urgency and alarm: Scan this QR code to verify your identity or prevent the deletion of your account or take advantage of a time-limited offer.
As always, your digital accounts should be as heavily protected as possible, so that if you do fall victim to a QR code trick, safety nets are in place. Switch on two-factor authentication for every account that offers it, make sure your personal details are up to date (such as backup email addresses and phone numbers that can be used to recover your accounts), and log out of devices you’re no longer using (you should also delete old accounts you no longer have any need for).
Finally, keep your software up to date—something that’s happily now very easy to do. The latest versions of popular mobile web browsers come with built-in tech for spotting fraudulent links: These integrated protections aren’t infallible, but the more up-to-date your browser and mobile OS are, the better your chances of getting a warning on screen if you’re about to visit an unsafe location on the web.
