QR code phishing is on the rise

QR code phishing is on the rise

Source: UKGlobal

Read time: 4 minutes


QR codes have become a daily part of our lives, from paying the bill at a restaurant to signing up to events. However, in the past year, the number of QR phishing attacks has risen.

Although they look harmless, malicious QR codes can direct you to the same scams as a phishing email. Recently, there has been an increase in fraudulent QR codes being placed over legitimate ones in car parks – resulting in customers losing money to a scammer.

There has also been a trend of Microsoft Multi Factor Authentication phishing emails asking users to scan the embedded QR code to verify their personal information; attackers can then use this personal information for their own means.

Be careful to check the legitimacy of a QR code, especially when viewed via electronic media. As a golden rule, do not share sensitive information hastily. Any email that asks for sensitive information about you or your company is suspicious. For instance, no bank will ever ask for personal information over an email. Directly call your bank to ascertain if an email is genuine or not.

Before scanning a QR code, ask yourself:

  • Is it from a trusted source? Verify its origin and the URL.
  • Was it randomly placed? Avoid scanning codes found in unexpected locations with no context.

What is Quishing (QR Phishing)?

Quishing attacks differ from traditional phishing attacks in how the link is formatted in an email. Whilst the intent is the same, to direct the recipient to a site that attempts to steal sensitive information or act as a delivering system for downloading malware onto a device - Instead of a text-based link, the malicious website is pointed to by a QR code.

While quishing uses many of the same techniques as a traditional phishing attack, the use of QR codes makes it far more difficult to detect and block.

QR codes are designed to be an easy and space-efficient way to direct users to a website. Often spam and harmful links can be detected by scanning the text of the email; however, an image based QR code which points the user to a URL is much more difficult to identify.

Quishing poses a unique security challenge for any business because it involves multiple devices of varying level of anti-phising defenses. If a user receives an email with a QR code on one device, they will likely scan that code with another device to open the indicated webpage – that 2nd device may not be subject to the same cybersecurity levels as a networked device, making it difficult to prevent, detect, and track potential compromises.

How to catch a phishing/quishing attempt

Some methods for detecting these attacks include:

  • Links may have misspellings or grammatical errors. Email addresses and domain names can be easily spoofed. Check links for spelling alterations even if they appear to be from a trusted sender.
  • Often emails will employ scare tactics such as urgency and authority or emotional manipulation to trick victims into taking immediate action – bypassing normal apprehension for fraud to provoke the reader into using a link.
  • Hover over URLs and attachments. If the alt text (text that appears in a small whilst hovering) does not match the display text, or if it seems strange, DO NOT click on it.

Once you have spotted the phish, you can catch it!

If you do spot what you believe to be an attempt to scam, if within your means you can alert the organisation using contact information from their official website. Alternatively, if you have received an email which you're not quite sure about, you can forward it to report@phishing.gov.uk.

Once reported, delete the message. Don't reply or click on any attachment or link, including any "unsubscribe" link. The unsubscribe button could also carry a link used for phishing.

Reporting phishing emails helps to reduce the number of scam communications you receive whilst protecting others from potential cybercrimes.

If a message looks suspicious, it's probably phishing.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics