Skip to main content

Whether you’re travelling, studying or even grocery shopping, chances are you’ll run into QR codes that can help you to quickly and easily access information. These Quick Response codes offer amazing convenience, but criminals having recognised this, are also taking advantage of their functionality to do harm. If you’re not vigilant, you could fall victim to QR phishing, better known as ‘quishing’.

What is ‘quishing’?

Quishing is a cyberattack involving the use of QR codes to deceive users into accessing harmful websites or downloading files containing malware.

How does quishing work?

A quishing attack starts with a cybercriminal creating QR codes that redirect to a fraudulent login page to steal victims’ credentials, or to a site that automatically downloads malware upon scanning. These malicious QR codes can be inserted into documents or emails as images or attachments, or they can be placed in public areas where people are likely to scan them. Once the QR code is scanned, victims may be prompted to enter sensitive information, such as login details or banking information, or asked to download software or apps that may be harmful. In some cases, the download of malicious content can occur automatically right after the code is scanned.

Detecting a quishing attack can be challenging, as the contents of these codes are usually concealed until scanned. To protect yourself from quishing, be vigilant and look for certain signs before scanning a QR code:

  1. Be on the lookout for unexpected or unsolicited QR codes. Be cautious of QR codes that appear in unsolicited emails or messages. Always check the sender’s email address or contact information for any signs of illegitimacy, such as misspellings or unusual domain names. Verify the legitimacy of the QR code by contacting the supposed sender through official channels.
  2. Check for lack of context or explanation. Legitimate QR codes are usually accompanied by clear explanations of their purpose. Be wary of codes that lack context or a credible source.
  3. Don’t succumb to pressure: Like most scams criminals often create a sense of urgency to prompt immediate action. Be skeptical of messages that pressure you to scan a QR code quickly.
  4. Inspect the QR code before you scan. QR codes are often displayed in public spaces and can easily be modified. Always check if it seems to have been tampered with or if a sticker has been applied over the original document. If you are unsure or suspicious about anything, it’s probably a good idea to hold off scanning the code and using another option to find the content you’re looking for.
  5. Use a secure QR code scanner:Some QR code scanner apps offer security features that check the safety of the link before opening it. It would be wise to try one of these apps for an added layer of protection. Consider using a QR code scanner app that provides a URL preview before opening the link. This allows you to see where the QR code will take you before proceeding.

How to handle a discovered QR code scam

If you come across a QR code that appears to be malicious or fraudulent, report it to the appropriate authorities or the platform where you found it. If it is related to your financial institution, be sure to file a report with the cybersecurity and fraud teams at the entity.

If you engage with a malicious QR Code, reset your passwords immediately and enable multi-factor authentication. Let your financial institution know that you may have been a victim of QR code jacking and conduct regular checks on your accounts for any suspicious activity. If you shared the bad code with anyone, also let them know and sensitise them on similar actions to take.

Safe banking tip

Never share your passwords or pins with anyone, not even family. If you have a joint account with someone, ensure they have their own card to access the account and a separate pin that is unknown to you. Keeping your bank details secret reduces the risk of your account getting hacked or compromised.

Was this article helpful?
YesNo