- Banks and regulators have warned of the growing risk of shutdowns
- A form of phishing that uses fraudulent QR codes to steal information
- These malicious links are not easily recognized by users or email scanners
It’s not just suspicious links to look out for in your email inbox: QR code phishing – or ‘quishing’ – is becoming an increasingly common threat, with fraudulent codes designed to slip through security systems and trick you into tempted to hand over your financial information.
A number of British banks, along with the UK’s National Cyber Security Center and the US Federal Trade Commission, have recently warned about the dangers of this increasingly sophisticated quishing scam.
A quishing attack usually involves sending a QR code as an attachment to an email. It appears that the email is from a legitimate source, such as a lender. When you scan the code, you will be taken to a malicious link. Typically, you will be asked to enter personal information, but it may also try to install malware or even capture an MFA token to bypass your credentials.
Furthermore, quishing attacks have now spread to the real world. Earlier this year, the RAC warned motorists about fraudulent QR codes being stuck on parking meters. When scanned, these users link to a website that aims to steal the data and payment information of someone who thinks they are paying for parking.
These attacks have increased since the pandemic, when the use of QR codes exploded. As a hands-free way to access everything from menus to medical forms, QR codes became a familiar and seemingly reliable way to access information and services.
Gone with quishing
Like a classic phishing scam, quishing aims to fool you into believing that you received the link from a legitimate source. The email usually appears to be from a bank or email provider, asking you to confirm your details to ‘secure’ your account. The scam uses a fake website that mimics the real one, to fool you into believing it is legitimate.
Because the contents of a QR code are not immediately visible just by looking at the code, it is difficult to check whether a QR code is legitimate. Furthermore, these codes often slip past cybersecurity tools, which cannot easily verify whether an attached code is genuine.
Scammers are also finding increasingly sophisticated ways to hide their scams from security tools. In addition to hijacking legitimate email accounts, some QR code scams use real personal information collected from sites like LinkedIn to personalize emails to make them appear relevant to an individual. Domain redirection is often used to allow users to navigate through different URLs, preventing email scanners from detecting the real malicious link behind the QR code.
A similar version of the scam, seen in a report from Perception pointdirects users to me-QR.com, a legitimate QR code creation website. Once there, the service scans a second QR code, which leads to a malicious landing page hosted on SharePoint, Microsoft’s web-based collaboration platform.
We’ve written extensively about the evolution of phishing attacks and how to protect yourself from shutdowns. In May, McAfee – the security software company – conducted a study which found that more than 20% of online scams in the UK were likely to involve QR codes. With lenders and regulators raising concerns, quishing is definitely the next big thing in online scams.