Skip to main content

Whether you’re travelling, studying or even grocery shopping, chances are you’ll run into QR codes that can help you to quickly and easily access information. These Quick Response codes offer amazing convenience, but criminals having recognised this, are also taking advantage of their functionality to do harm. If you’re not vigilant, you could fall victim to QR phishing, better known as ‘quishing’.

What is ‘quishing’?

Quishing is a cyberattack involving the use of QR codes to deceive users into accessing harmful websites or downloading files containing malware.

How does quishing work?

A quishing attack starts with a cybercriminal creating QR codes that redirect to a fraudulent login page to steal victims’ credentials, or to a site that automatically downloads malware upon scanning. These malicious QR codes can be inserted into documents or emails as images or attachments, or they can be placed in public areas where people are likely to scan them. Once the QR code is scanned, victims may be prompted to enter sensitive information, such as login details or banking information, or asked to download software or apps that may be harmful. In some cases, the download of malicious content can occur automatically right after the code is scanned.

Detecting a quishing attack can be challenging, as the contents of these codes are usually concealed until scanned. To protect yourself from quishing, be vigilant and look for certain signs before scanning a QR code:

  1. Be on the lookout for unexpected or unsolicited QR codes. Be cautious of QR codes that appear in unsolicited emails or messages. Always check the sender’s email address or contact information for any signs of illegitimacy, such as misspellings or unusual domain names. Verify the legitimacy of the QR code by contacting the supposed sender through official channels.
  2. Check for lack of context or explanation. Legitimate QR codes are usually accompanied by clear explanations of their purpose. Be wary of codes that lack context or a credible source.
  3. Don’t succumb to pressure: Like most scams criminals often create a sense of urgency to prompt immediate action. Be skeptical of messages that pressure you to scan a QR code quickly.
  4. Inspect the QR code before you scan. QR codes are often displayed in public spaces and can easily be modified. Always check if it seems to have been tampered with or if a sticker has been applied over the original document. If you are unsure or suspicious about anything, it’s probably a good idea to hold off scanning the code and using another option to find the content you’re looking for.
  5. Use a secure QR code scanner:Some QR code scanner apps offer security features that check the safety of the link before opening it. It would be wise to try one of these apps for an added layer of protection. Consider using a QR code scanner app that provides a URL preview before opening the link. This allows you to see where the QR code will take you before proceeding.

How to handle a discovered QR code scam

If you come across a QR code that appears to be malicious or fraudulent, report it to the appropriate authorities or the platform where you found it. If it is related to your financial institution, be sure to file a report with the cybersecurity and fraud teams at the entity.

If you engage with a malicious QR Code, reset your passwords immediately and enable multi-factor authentication. Let your financial institution know that you may have been a victim of QR code jacking and conduct regular checks on your accounts for any suspicious activity. If you shared the bad code with anyone, also let them know and sensitise them on similar actions to take.

Safe banking tip

Never share your passwords or pins with anyone, not even family. If you have a joint account with someone, ensure they have their own card to access the account and a separate pin that is unknown to you. Keeping your bank details secret reduces the risk of your account getting hacked or compromised.

Was this article helpful?
YesNo
Cookie Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Cookie in use:

moove_gdpr_popup - Stores your cookie consent state for the current domain

Google Analytics Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Cookies used:

_ga - Registers a unique ID that is used to generate statistical data on how the visitor uses the website.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how the visitor uses the website.