QR code phishing is a relatively new social engineering attack vector that is becoming increasingly popular among cybercriminals. “Quishing” uses QR codes to lure unsuspecting users into revealing sensitive information. This article describes how it works, possible outcomes, and what you can do to prevent becoming a victim.
QR Code Phishing is a Sophisticated Scam
The thing about QR codes is that they lend an air of legitimacy to any message to which they are attached, so many people are prone to scan them without a second thought. After all, QR codes are complex pieces of data that can only be produced by businesses with access to advanced skills and technology, right?
Wrong! Anyone can create QR codes by downloading a QR code generator app freely available on the web. Cybercriminals like QR codes because the data is only in machine-readable format, so they are more likely to evade detection by security filters. They make the offer look official, and victims don’t realize it’s a scam until it is too late.
The QR code springs the trap, but it is the promotion surrounding it that snares the victim. The scammer creates a QR code that appears legitimate but directs those who scan it to a spoofed website or login page.
The bait is a special offer, limited time discount, or a sense of urgency in the content of a PDF that entices people into clicking the QR code and entering their data without thinking. And email isn’t the only vehicle.
Criminals attach malicious QR codes to social media posts, retail offers, on printed advertisements, posters, and hardcopy mail.
Further, cybercriminals are getting much better at impersonating websites to look like the real deal, and at creating polished documents and social posts embedded with the QR code. They use company logos and variable data text to customize the name of the targeted company or individual.
In one documented qr code phishing case, criminals sent authentic-looking emails instructing all company employees to scan the attached QR code to learn about changes to their retirement and benefit plans. Who wouldn’t scan or click on that?
Upon scanning the code with a smartphone or using the camera app on a PC, victims are unknowingly taken to a malicious website where several potential bad outcomes await.
Why won’t they know? Because criminals design the apps so that the malicious URL is hidden or quickly disappears from view to prevent careful scrutiny, or they use redirection or obfuscation techniques to make it difficult to determine the true URL.
Understand the Risks Quishing
So, you or one of your employees scanned a malicious QR code. What happens next? That depends. Can they really affect changes to an employee’s retirement or benefit plans as described in the attack above? No. But that’s not what the criminals are after – they want to harvest credentials.
After being redirected to a fake website controlled by the attacker, the quishing app may prompt victims to enter:
- user login credentials to steal passwords and multi-factor authentication codes to penetrate a business for information theft or ransom purposes.
- personal data such as birthdates, phone numbers, addresses, and Social Security Numbers to commit identity theft.
- credit card and bank account information so criminals can make fraudulent purchases in victims’ names.
One popular scam is a QR code on a fake parking ticket left on a windshield instructing the vehicle owner to pay a fine immediately. Scanning the code takes the victim to a phishing site that collects their financial information. Another is impersonating a Microsoft security update to get employees to input their username and password.
There are also potential outcomes that do not require the victim to take any action other than scanning the QR code. The quishing app may automatically download malware into the user’s phone or PC to disable the device and paralyze a business, to steal and hold data for ransom, take control over a device, or track user activity.
QR codes can be programmed to access payment portals, hijack a Facebook account, or automatically spew damaging emails to everyone in a user or company address book, ruining reputations.
So, while QR codes may seem harmless, there may be more to them than meets the eye, and criminals’ growing sophistication makes weaponized QR codes harder to spot.
QR Code Phishing Warning Signs & Prevention Tactics
This doesn’t mean you should never click on a QR code – most are reputable. But you can take some steps to lower your exposure to being victimized by quishing scams.
- Check for typos, poor design, and proper logo usage. Even though the criminals are getting better at grammar, misspelled words and poor design of the messaging around the QR code (email, social post, or PDF) or on the website itself are clues of a scam.
- Do not scan QR codes on handbills, from flyers on your windshield, or on public signs. There is no way to guarantee the authenticity of the code. Some scammers print their own QR code labels and place them over legitimate codes. Scanning a QR code off product packaging printed by the manufacturer, however, is usually safe.
- Check that the website the QR code has taken you to begins with HTTPS://, the “S” meaning secure. If it’s just “HTTP://,” leave the page.
- After scanning a code, inspect the entire website URL. If it is truncated, obfuscated, or ends in an unrecognizable domain do not trust the site.
- Beware Gmail senders. Let’s say you receive an email with a QR code that identifies as a well-known brand, but when you look closely at the sender’s email, it’s from a Gmail account and not the brand’s domain. Chances are pretty good it’s a Qr code phishing attack.
- Verify the source. If there’s an offer that’s attractive to you but not sure if the QR code is legit, contact the company by another means – phone, email, or via their official website.
- Trust your instincts. If something is too good to be true, it probably is. If the product is free, you may be the product.
Reduce Your Exposure with Passpack
Finally, and most importantly, use a password manager application like Passpack to protect your valuable credentials and reduce your attack surface. Creating strong passwords, enforcing secure sharing policies, and educating employees about the latest cyberthreats goes a long way towards recognizing and reducing the risk of falling victim to qr code phishing scams.
Admittedly, a password manager app is not connected to someone’s ability to scan a QR code; users remain free to scan QR codes at will.
However, Passpack offers unique features such as Verified Domains and Allowed Domains that enables administrators to block users from sharing credentials with websites outside of approved domains, as well as multi-factor authentication to provide additional levels of access control.
Try Passpack for Free
Minimize your exposure to QR code phishing scams. Try Passpack today risk-free. Sign up for a no-obligation 28-day free trial of the Passpack Business Plan including access to verified and allowed domains and squash the quishing threat!