Phishing attacks are rapidly evolving as bad actors become increasingly creative. One of the latest threats, known as “Quishing”, is via QR codes. Largely considered convenient, these seemingly harmless black-and-white squares are becoming a tool for cyber criminals to trick unsuspecting users.
QR codes: a new gateway for phishing
Cyber criminals have become skilled at embedding malicious links within QR codes. When scanned, these codes can lead you to phishing websites, steal personal information, or install malware on your device. The security industry often teaches users to avoid phishing by inspecting a URL before clicking it on their computer. However, QR codes pose a different challenge, as they can’t be visually examined like text-based URLs. Most people use their phone’s camera to scan QR codes, but it can be difficult to review the URL that briefly appears before the app processes it. The URL may be visible for only a few seconds, and malicious actors can obscure the true destination using URL redirection techniques or services. This evolving risk emphasises the need for vigilance when interacting with QR codes, whether in personal or professional settings.
A real-world example
In Thornaby, a 71-year-old woman lost £13,000 after fraudsters swapped a legitimate railway station QR code with their own. The scam led her to a fake website, and the criminals, posing as bank staff, gained access to her accounts, took out a loan, and changed her banking details.
Following this incident, the rail company removed QR codes from car parks, underscoring the increasing risk of QR code scams across the UK.
How to protect yourself
- Avoid scanning unknown or unsolicited QR codes.
- Be cautious of QR codes in public spaces or emails.
- Check the validity of the QR codes from the intended sender.
As phishing tactics continue to evolve, awareness and caution are crucial in protecting your personal and financial information.
Stay vigilant and informed as these threats become more sophisticated.