As QR code use grows, so do ‘quishing’ scams

One of the lasting impacts of the COVID-19 pandemic is the popularity of QR codes. They’re everywhere, from your table at a restaurant and the register at your favorite coffee shop to random stickers on light poles along the street.

And just like with everything else, criminals have found a way to turn these helpful little codes into a scam. It’s called QR code phishing, better known as “quishing.”

Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.

Point phone camera here

What is quishing? 

Similar to a regular phishing scam where fraudsters impersonate trustworthy sources to obtain your personal information, quishing relies on the prevalence of legitimate QR codes to win people’s trust. So you could scan what looks like a perfectly legitimate QR code only to be redirected to a malicious website or download malware.

• Copy URL
• Save image
• Email
• Facebook
• Twitter / X
• Reddit

Unbiased. Straight Facts.^TM

26% of malicious links are now sent via QR code, according to cybersecurity firm Keepnet Labs.

These scams have become so rampant that the Federal Trade Commission issued an alert about them earlier this year. Since then, multiple state and local governments have followed suit.

How common is quishing?

According to the cybersecurity company Keepnet Labs, more than a quarter of all malicious links are now sent via QR code.

In a recent report, CNBC stated that the virtual private network company NordVPN estimates that 73% of Americans scan QR codes without verifying them first, and more than 26 million people have been directed to malicious sites this way.

How can I protect myself from quishing scams?

There are some ways to avoid quishing scams, according to cybersecurity company Malwarebytes. Here’s what to look out for:

• Be wary of QR codes that appear in unsolicited emails or messages.
• If a QR code does not give context or explanation of what it’s for, don’t scan it.
• Check the sender’s email address. Look for the usual signs associated with scams, such as misspellings and unusual domain names.
• If the source of the QR code urges you to act quickly, be skeptical.
• Try to verify the code’s legitimacy by contacting the alleged sender through official channels.
• Use a QR code scanner app that checks the safety of a link before opening it.

Another way to stay safe is to be vigilant after scanning a QR code. If taken to a page that prompts you to enter personal information, first double-check the logo and full URL of the website. For an additional layer of protection, Malwarebytes recommends manually typing the original URL into your browser instead of using the link provided by the QR code, if possible.

Malwarebytes also recommends enabling two-factor authentication, so if your personal information is compromised, you can prevent unauthorized access to your accounts. Also, never accept an authentication notification you didn’t initiate yourself.