Photo credit: iStock

By Brittany Fugate, CEO at Cenetric

Cyber criminals are always up to something new, and now they’re messing with our QR codes. It’s called quishing, and while the name makes it sound kind of cute, it’s definitely not.

Quick Response (QR) codes, which were invented by a Japanese company in 1994 to track inventory through its automobile assembly process, became popular around 2010 as an easy way to share links. Even though it fell out of fashion a few years later, it saw a resurgence in 2020 with the pandemic. 

For the last few years, we’ve been using them everywhere to share all sorts of links. But threat actors have realized they can also be an easy way to steal data. It’s called quishing, and we all need to be on the lookout for it.

How quishing works

Much like phishing scams, in which a cyber criminal tries to trick you into clicking a link in an email or text with social engineering, quishing scams present an innocent-looking QR code, hoping to get you to scan it with your device.

The QR code then takes you to a malicious link, installs malware on your device, or asks you to provide your username and password to log in to an account. All of these are designed to steal personal data or take control of your device. 

Because QR codes are a bit strange-looking anyway, it’s easier to get victims to scan them. Could you really tell a scam QR code from a legitimate one? With all those little black and white squares (called data modules and background, respectively) that seem randomly arranged, they all look the same, don’t they?

That’s what a scammer is counting on. So when you scan one to get information, sign up for something, or make a payment, you do it without much consideration. Until now, of course.

How to avoid a QR code scam

When you interact with QR codes personally or for business, exercise the same caution you would with your email or texts. 

Stop before you scan

Consider the setting and the situation — is a QR code expected and appropriate here? Did you get it in an email from a trusted source, or does it seem out of the blue? If you’re using it to access information from a physical source, look closely at the signage or sticker. Does it look original, or could it be a misleading code stuck over the existing one? If it looks a little off, don’t scan it.

Of course, there are many legitimate uses for QR codes. For instance, many companies are putting QR codes on their packaging to help you access instruction manuals or register a product. That’s probably a safe situation, especially since you initiated the purchase. 

But if it isn’t expected, a QR code is a much bigger risk. You might have heard about a recent scam in which people have received mysterious packages that they didn’t order with a product and a QR code inside. The scammer wants the recipient to be curious enough about the surprise package to scan the code to figure out where it came from. 

But when they do, the QR code steals private information, like banking and financial data, from the device they used to scan. 

Photo credit: iStock

Don’t log in

If anything seems off, do NOT log in to any type of account when prompted by a QR code. This is like laying out a welcome mat for a scammer. If for some reason you do need to access an account, go directly to the website for that account instead of using the link from the QR code.

Don’t give unnecessary access to your device

Think twice about granting permission to use functionality of your device if asked when using a QR code. Remember that QR codes are usually meant to provide simpler access to information you want. After all, they’re much faster than asking someone to type in an awkwardly long link.

They’re generally not meant to do anything other than take you to a link. If you’re asked for permission to access your contacts, photos or location, don’t allow it.

When a QR code link is asking to use your contacts, it could be part of a spoofing scheme in which the scammer sends out an email or text from your device to your contacts, spreading the cyber threat even farther.

If your team uses their own devices in their work, be sure your Bring-Your-Own-Device policy has guidelines regarding QR codes.

Using your own QR codes

If you use QR codes in your business, such as a menu in a restaurant, understand that your customers might be aware of these new scams and a little wary of using the QR codes you provide.

Offering an alternative way to access information is a good business practice. Also regularly inspect any physical places you’ve put QR codes and ensure they haven’t been tampered with. Avoid sending them by email and use contextual links instead.

Let Cenetric help you stay scam-free

If the appearance of yet another cyber risk is adding stress to your already-full plate, we understand. It takes a lot to stay ahead of all the threats, but a managed services provider like Cenetric can help you out.

Cenetric experts are experienced in cybersecurity and helping you avoid scams and threats — and recover if you’ve already been hit. Let’s set up a time to talk about cybersecurity.