Quishing is the new QR code scam you need to watch out for – here's how to stay safe

• Banks and regulators have warned of the growing risk of quishing
• A type of phishing that uses fraudulent QR codes to steal information
• These malicious links aren’t easily recognized by users or email scanners

It’s not just suspicious links you need to watch out for in your email inbox: QR code phishing – or “quishing" – is becoming an increasingly common threat, with fraudulent codes designed to slip through security systems and fool you into surrendering your financial information.

A number of UK banks, together with the UK National Cyber Security Centre and US Federal Trade Commission, have recently warned of the dangers of these increasingly sophisticated quishing scams.

In a quishing attack, a QR code is usually sent as an attachment to an email. The email will appear to be from a legitimate source, such as a lender. When you scan the code, it will direct you to a malicious link. This will usually ask you to submit personal details, but it could also attempt to install malware or even capture an MFA token to bypass your login credentials.

What’s more, quishing attacks have now spread into the real world. Earlier this year, the RAC warned motorists of fraudulent QR codes being stuck to parking machines. When scanned, these would link users to a website that aims to steal the details and payment information of someone who believes they’re paying for parking.

These attacks have increased since the pandemic, when the use of QR codes ballooned. As a hands-free way to access everything from menus to medical forms, QR codes became a familiar and apparently trustworthy way to access information and services.

Gone quishing

Like a classic phishing scam, quishing aims to fool you into believing that you’ve been sent the link from a legitimate source. The email will usually appear to be from a bank or email provider, asking you to confirm your details to ‘secure’ your account. The scam will use a fake website that mimics the real thing to fool you into believing it’s legitimate.

Because the content of a QR code isn’t immediately visible from looking at the code alone, it’s difficult to check if one is legitimate. What’s more, these codes often slip past cyber security tools, which aren’t easily able to verify whether an attached code is genuine.

Scammers also find increasingly advanced ways to hide their scams from security tools. In addition to hijacking legitimate email accounts, some QR code scams use genuine personal information harvested from sites such as LinkedIn to personalize emails to appear relevant to an individual. Domain redirection is often used to bounce users through several URLs, which prevents email scanners from detecting the true malicious link behind the QR code.

A similar version of the scam, featured in a report from Perception Point, sends users to me-QR.com, a legitimate website for making QR codes. Once there, the service scans a second QR code, which leads to a malicious landing page hosted on SharePoint, Microsoft’s web-based collaboration platform.

We’ve written in depth about the evolution of phishing attacks and how to stay safe from quishing attacks. In May, McAfee – the security software company – ran a survey that found more than 20% of online scams in the UK probably involved QR codes. With lenders and regulators now raising concerns, quishing is definitely the next big thing in online scams.

You might also like

• QR Code phishing is advancing to a new level
• The evolution of phishing: vishing & quishing
• How to stay safe from cybercriminal "quishing" attacks