QR code phishing is on the rise
Source: UKGlobal
Read time: 4 minutes
QR codes have become a daily part of our lives, from paying the bill at a restaurant to signing up to events. However, in the past year, the number of QR phishing attacks has risen.
Although they look harmless, malicious QR codes can direct you to the same scams as a phishing email. Recently, there has been an increase in fraudulent QR codes being placed over legitimate ones in car parks – resulting in customers losing money to a scammer.
There has also been a trend of Microsoft Multi Factor Authentication phishing emails asking users to scan the embedded QR code to verify their personal information; attackers can then use this personal information for their own means.
Be careful to check the legitimacy of a QR code, especially when viewed via electronic media. As a golden rule, do not share sensitive information hastily. Any email that asks for sensitive information about you or your company is suspicious. For instance, no bank will ever ask for personal information over an email. Directly call your bank to ascertain if an email is genuine or not.
Before scanning a QR code, ask yourself:
What is Quishing (QR Phishing)?
Quishing attacks differ from traditional phishing attacks in how the link is formatted in an email. Whilst the intent is the same, to direct the recipient to a site that attempts to steal sensitive information or act as a delivering system for downloading malware onto a device - Instead of a text-based link, the malicious website is pointed to by a QR code.
While quishing uses many of the same techniques as a traditional phishing attack, the use of QR codes makes it far more difficult to detect and block.
Recommended by LinkedIn
QR codes are designed to be an easy and space-efficient way to direct users to a website. Often spam and harmful links can be detected by scanning the text of the email; however, an image based QR code which points the user to a URL is much more difficult to identify.
Quishing poses a unique security challenge for any business because it involves multiple devices of varying level of anti-phising defenses. If a user receives an email with a QR code on one device, they will likely scan that code with another device to open the indicated webpage – that 2nd device may not be subject to the same cybersecurity levels as a networked device, making it difficult to prevent, detect, and track potential compromises.
How to catch a phishing/quishing attempt
Some methods for detecting these attacks include:
Once you have spotted the phish, you can catch it!
If you do spot what you believe to be an attempt to scam, if within your means you can alert the organisation using contact information from their official website. Alternatively, if you have received an email which you're not quite sure about, you can forward it to report@phishing.gov.uk.
Once reported, delete the message. Don't reply or click on any attachment or link, including any "unsubscribe" link. The unsubscribe button could also carry a link used for phishing.
Reporting phishing emails helps to reduce the number of scam communications you receive whilst protecting others from potential cybercrimes.
If a message looks suspicious, it's probably phishing.