Home > Mobile

Quishing: How to Avoid QR Code Phishing Attacks

By Sayak Boral
Featured Image: Quishing (QR code phishing) attacks

QR codes have become essential in our interactions with people and products. A quick scan from your phone is all it takes to exchange contact information, access venues, and check out online merchandise. However, their widespread use has attracted cybercriminals who now find it easy to create fake, malicious QR codes, leading to a new phishing threat known as “quishing.” Here is our advisory on quishing attacks with some practical tips to protect yourself.

What is Quishing?

Quishing, also known as QR code phishing, is a cyber threat that takes advantage of the convenience and popularity of QR codes. Cybercriminals use fake QR codes to trick people into visiting fake websites. They may then try to access your personal information like login details and passwords, install malware on your device, or steal your financial information.

According to Egress, between January 1 and August 31, 2024, at least 12% of phishing attacks involved QR codes, a sharp rise from just 0.8% in 2021. This significant increase in quishing is a testament to the growing ubiquity of QR technology. Moreover, phishing kits on the dark web, such as “FishXProxy,” utilize QR codes as a popular choice for account takeover (ATO) attacks.

Scanning malicious QR codes can lead to security threats including from the dark web.
DALL-E 3

The thing is, carrying out a quishing attack is relatively easy, as anyone can generate a QR code. These codes can be placed virtually anywhere – on flyers, posters, t-shirts, backpacks, and through conventional phishing tools like emails and social media. Most people view QR codes as harmless. You’re at risk only when you visit the spoofed websites linked to these codes.

How Does QR Phishing Work

QR phishing capitalizes on the widespread use of smartphones and QR codes. Even laptops can scan these codes. Attackers need only create a seemingly legitimate QR code that directs to a malicious website or malware files.

Creating a QR code with a malicious intent is the easy part. The challenge lies in persuading people to scan those images. This is where social engineering comes into play. Attackers might use various impersonation tactics, promise rewards, or create a sense of urgency. As a result, numerous types of quishing attacks have evolved. The most common ones include:

1. QRLJacking

This is the most straightforward yet difficult-to-detect form of quishing attack. Cybercriminals create a QR code linked to a website that closely mimics a legitimate application requiring QR code access. This could be for apps like WhatsApp, Discord, TikTok, or even your banking site.

QRLjacking leading to a spoofed WhatsApp replica website.

Most of us don’t inspect the black-and-white data modules encoding an actual website, making it easy to be deceived and give away login information. Attackers then upload your recent sign-in to a phishing server, giving them a remote chance to take over your session later. Fortunately, enabling two-factor authentication makes QRLJacking attacks nearly impossible to execute. Many websites monitor for suspicious login attempts and will alert you in time.

2. Plain Text QR Phishing

In a plain text QR code phishing attempt, attackers embed harmful QR codes within emails, SMS, and social media chats. The worst part is that these codes can appear to come from trusted contacts, as the attackers may have gained access to their accounts.

Plain text QR code phishing inserted in an email leading to a fake Amazon account.

The modus operandi is straightforward: attackers may promise a lucrative reward, although many users are now wary of such tactics. Alternatively, they might claim there have been suspicious login attempts on a site like Amazon. In reality, the attackers are trying to capture your login information through the QR code.

3. Formjacking

Formjacking is a common method used to steal financial information, such as credit card details, by luring users to unsuspecting websites. Users may directly submit their payment information, which is then stolen using a malicious script on the page.

Alternatively, they may be asked to fill out a form, often disguised as a survey with promised rewards, to gather security question answers like date of birth, place of birth, mother’s name, and other personal details.

Possible formjacking threats visible on a large screen.
DALL-E 3

This type of cyber threat had been on the decline, as most users have become cautious of malicious form sites. However, the recent popularity of QR codes has lent a sense of legitimacy to these sites, reviving the threat of formjacking.

4. Other Kinds of QR Phishing Attempts

There are several other types of QR phishing attempts you might encounter unexpectedly. It’s essential to stay vigilant and aware of these methods.

  • Malware QR phishing: these QR codes direct you to malware-laden websites or initiate the download of malicious Trojans or rootkits. The aim is to gain unauthorized access to your system’s resources. Using antivirus software with features like a firewall, email and web protection, and phishing defense can help safeguard against these threats.
  • Crypto QR phishing: these tools are widely available on the dark web. They lure unsuspecting users into visiting seemingly harmless websites, which then inject malicious scripts that remain undetected. The scripts exploit the target system to mine cryptocurrency without the user’s consent. Consequently, the user may experience days of slow PC performance, frequent reboots, and other performance issues.
  • Macro-based QR phishing: although relatively uncommon today, the old trick of embedding macros in Excel, Word, or PDF documents to install malware or steal information now has a QR code twist. However, such files should be automatically blocked on devices with up-to-date antivirus software or updated smartphones.

Why is it so Easy to Fall Victim to a Quishing Attack

It’s clear that falling victim to a QR code phishing attempt is relatively common. Here are a few reasons why scammers successfully use this deceptive tool, and why you should become more vigilant about these threats.

  • Implicit trust in QR codes: QR code scanning is a relatively new and trendy technology, and many users inherently trust it due to a lack of awareness about potential threats. It’s important to remember that QR codes accounted for nearly 12% of all phishing attempts. Blindly trusting QR codes is a thing of the past.
  • Brand impersonation is easy: It is easy to impersonate popular brands like Telegram, WhatsApp, TikTok, Amazon, and many others. Most users don’t verify if a URL is legitimate. For instance, a site like “AmazonAws. com” may sound trustworthy, but it is actually a malicious website with no connection to Amazon or Azure. This gives scammers the upper hand in certain situations.
  • Invisible links: most users are cautious about visiting shortened URLs and unfamiliar links. However, with a QR code, these links are hidden behind an image that appears legitimate. This gives an unwarranted sense of credibility to links that should not be visited in the first place.

How to Avoid a Quishing Attack

QR codes are ubiquitous, appearing on billboards, sealed envelopes, clothing, accessories, and across the web and social media. Even though only a small fraction of these codes may contain malicious links, it can feel like becoming a victim is inevitable. But it doesn’t have to be that way. By taking the following precautions, you can stay safe from quishing attacks.

  • Only use reliable sources: If you’re using a QR code displayed prominently at a restaurant, shopping mall, or concert venue, it’s likely legitimate. It’s evident that these QR codes are intended for wide public use. In contrast, QR codes received through emails, social media, and random web links require more verification.
  • Avoid random QR codes: you might run into random QR codes on flyers, packaging, and other places which do not add much value to your job. Avoid scanning these codes.
  • Before clicking, preview the QR code: almost all QR scanning apps let you preview the QR code before you click. If the link looks suspicious, resist the urge.
  • Enable two-factor authentication: the usage of two-factor authentication is a great bulwark against quishing attempts on popular apps and websites.
  • Constant awareness: as QR code phishing scams emerge as a significant security threat, staying updated with the latest cybersecurity news can provide valuable insights into new threat variants.

In this guide, we saw what quishing is, and how you can protect yourself from a quishing attack. It is just one form of phishing attacks: there are many more, such as those that target Black Friday shoppers. You should also be careful of Amazon Prime day scams.

Image Credit: DALL-E 3. All photos and screenshots by Sayak Boral.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sayak Boral Avatar
Sayak Boral
Sayak Boral is a technology writer with over eleven years of experience working in different industries including semiconductors, IoT, enterprise IT, telecommunications OSS/BSS, and network security. He has been writing for MakeTechEasier on a wide range of technical topics including Windows, Android, Internet, Hardware Guides, Browsers, Software Tools, and Product Reviews.

Read next

Featured image: Good Lock app is part of Samsung Galaxy experiences.
Use the Good Lock App to Transform Your Samsung Galaxy Experience
Apple Maps Web Android Featured
How to Use Apple Maps on Your Android Device
Iphone Language Learning Featured
How You Can Master Any Language with Your iPhone (No Apps Needed)
A phone displaying where to uninstall Android System SafetyCore
How to Remove Android System SafetyCore App for Better Privacy
A man scanning QR code on PC with his phone.
Share Images with Microsoft 365 Copilot from Mobile in Seconds
Undo Redo Buttons Featured
How to Undo and Redo Your Typing in Gboard for Android
Iphone Autofill Featured
How to Use Autofill on iPhone Like a Pro
Google Circle To Search Featured
I Tried Google’s Circle to Search – Now I Can’t Stop Using It