In a world where convenience meets technology, QR codes have become a new method of instant access. These pixelated squares may seem simple, but they unlock a universe of information at the tap of a smartphone camera. From streamlining payments to enhancing marketing strategies, QR codes are transforming the way we connect and interact with the digital realm.
QR stands for “Quick Response,” and a QR code is essentially a two-dimensional barcode with the ability to store data, such as link to a malicious website.
Quishing, or QR phishing, is an up-and-coming cybersecurity threat in which the end goal is theft of sensitive information for the purpose of financial fraud, identity theft or ransomware.
Protecting against quishing attacks can be particularly difficult, since most individuals when they see a QR code will pull out a cellphone to scan the code, circumventing any cybersecurity measures to protect against visiting malicious websites.
Where Quishing can take place:
- Emails or SMS: Bad actors can send emails or messages containing malicious QR codes claiming to be from reputable sources, such as banks, retailers or service providers.
- Physical locations: QR codes can be placed in public places such as restaurants, cafes or posters, enticing people to scan them for discounts, menus or other services.
- Social media: Malicious QR codes are shared on social media platforms or websites, often disguised as part of legitimate promotions or events.
How to Defend Against Quishing:
The Michigan Cyber Command Center (MC3) recommends treating QR codes similar to phishing emails by taking the following measures to identify and protect yourself from quishing.
- Consider the source: If you receive a QR code from someone, ask yourself if you were expecting this email. Reach out to the sender to confirm they meant to send it. Remember, when reaching out do not use the contact information accompanying the QR code.
- Check the link: For any QR code you receive, check the Uniform Resource Locator (URL) by inspecting the top-level domain to determine if it is linking what is says. You can also utilize other tools such as Virus Total to help determine if the link is malicious.
- Pay attention to the message: If the QR code is sent in an email or accompanied by a message, pay attention to the language in the email. Is there compelling language indicating urgency or a quick response is needed? Does the individual speak this way? Is the signature block accurate? Is the return address the same as the one it was received from?
- Don’t scan public QR codes: Bad actors may place malicious QR codes on parking meters to steal money or in restaurants to lead you to a malicious website.
Let’s all be careful when lowering our guard for the convenience of QR codes.