Beware of Quishing, the New Scam Related to QR Codes: Tips for Protecting Yourself.

Phishing has evolved, and now a new threat known as "quishing" has emerged, involving fraudulent QR codes used to steal personal information. This type of attack has recently been warned about by several banks in the UK along with the UK's National Cyber Security Centre and the U.S. Federal Trade Commission, due to its increasing sophistication.

In a typical quishing attack, a QR code is sent as an attachment in an email that appears to come from a legitimate source, such as a lender. When the user scans the code, they are redirected to a malicious link that often requests personal data or attempts to install malware. In some cases, it may even try to capture a multifactor authentication token to bypass login credentials.

Moreover, this type of attack has begun to manifest in the physical world. Earlier this year, drivers were alerted about fraudulent QR codes placed on parking machines. When scanning such codes, users are led to websites that aim to steal payment information by tricking them into believing they are paying for parking.

The proliferation of these attacks has increased since the pandemic, when the use of QR codes soared, becoming a common and seemingly safe method to access various services and information.

Like conventional phishing attacks, quishing seeks to deceive victims into believing they have received a link from a trusted source. Emails often impersonate a bank or email service provider, urging them to confirm their details to "secure" their accounts. These scams operate through fake websites that mimic real ones to make the victim believe in their legitimacy.

One of the features that complicate the detection of quishing is that the content of a QR code is not visible at first glance, making verification difficult. Additionally, codes can bypass cybersecurity tools, which often fail to verify whether an attached code is genuine. Scammers also employ more elaborate tactics, such as hijacking legitimate email accounts and leveraging personal information obtained from social media to customize emails and make them appear more relevant.

A report by Perception Point highlighted a variant of this scheme that directs users to me-QR.com, a legitimate site for generating QR codes, where another code is then scanned that redirects to a malicious page hosted on SharePoint, Microsoft’s online collaboration platform.

According to a survey conducted by McAfee, over 20% of online scams in the UK might be related to QR codes. As banks and regulatory bodies express their concerns, it is clear that quishing is positioning itself as one of the major threats in the realm of online scams.