We all know about phishing and most of us have heard of smishing (SMS text) or perhaps vishing (voice). Enter quishing (QR codes), the newest malicious kid on the block. Due to their rising popularity as a method to share information during the pandemic, QR codes are also becoming popular as a means of phishing user credentials.

Small business checking. We offer services that maximize the value of your business.

Threat actors (bad guys) never let a good trend go to waste, and this one is no different. QR codes are easily generated and can contain a wide range of information, so users must exercise extreme caution when utilizing them.

Scanning these malicious QR codes most often sends you to a malicious website where the threat actor’s end goal is typically stealing the victim’s personally identifiable information (PII). In other instances, scanning these codes also has the potential to send you to malicious sites where spyware and other malicious programs can compromise your machine.

Threat actors have many tactics for delivering QR codes, including (but not limited to) email, text, and social media. According to the Austin, TX Police Department, quishing has even made its way into the physical sector. Scammers are using professional-looking stickers to point those using parking meters to an alternate pay site. They then collect credit card details in the ultimate impersonation scam where the scammer gets the legitimacy bump from the parking meter itself and victims are none the wiser!

While security solutions may have trouble detecting these types of phishing attempts, there are measures that you can take to utilize QR codes safely.

  • Never scan a QR code from an unknown or untrustworthy source. Did you receive a random, anonymous flyer claiming you could win the latest iPhone if you scan the code? Don’t trust it!
  • When scanning a QR code, be sure to use a scanner app that previews the destination. This feature gives you a chance to review the URL and decide if the QR code is safe.
  • If you scan a QR code and the URL looks cryptic, the website requires a login, or the site is unrelated to what you scanned, close out of your browser immediately!

While we can’t always know what the bad guys are up to, we can learn the warning signs of danger and the proper steps to take to keep ourselves and our data as safe as possible.

Stay alert, stay vigilant, stay safe.