During a time of rapid digital transformation, new forms of cyber threats constantly emerge. One such threat increasing in the world of cyber security is known as ‘quishing,’ a term derived from QR codes and phishing.

What is quishing?

Similar to classic phishing strategies, quishing exploits Quick Response (QR) codes to deceive individuals into divulging sensitive information or downloading malicious software.

It involves scammers creating these two-dimensional barcodes, that when scanned, lead unsuspecting users to fraudulent websites or prompts the download of malware directly onto your device.

This form of scam capitalises on the QR code’s popularity, convenience, and the public’s growing comfort with using them for everything from restaurant menus to payment systems.

The rise in QR code related scams

The BBC recently reported that QR code related scams are continuing to rise, with instances up 14-fold over five years.

These scams are primarily orchestrated by organised crime groups and have seen a sharp increase from 100 reports in 2019 to 1,386 in the previous year, as recorded by the national fraud reporting centre, Action Fraud.

The consequences of these scams can be severe, with victims sometimes losing substantial amounts of money, which in turn finances further criminal activities. Scammers have diversified their methods, using QR codes on printed flyers, in emails, and on social media, duping people into handing over sensitive information like bank details.

There are concerns that this type of scam is underreported, and figures could be even higher. This is because people scammed out of smaller amounts of money are less likely to report. However, money may not be the sole target, with further risks of sensitive data being lifted from devices then sold on or used for more complex fraud later down the line.

How to spot and prevent quishing

To protect yourself from quishing scams, here is what to look for and preventive measures to take:

Examine the URL: Before scanning a QR code, make sure the surrounding context seems legitimate. If you can, preview the link that the QR code will direct you to. This feature is available on some smartphones and third-party QR code scanning apps.

Look for tampering: A legitimate-looking sticker or code might be placed over the original one, directing you to a malicious site. Stay vigilant about where you find these codes.

Avoid downloading apps directly: If a QR code prompts you to download an application, it is safer to go through the official app store on your device.

Use trusted QR scanners: Some apps check the safety of a website before opening it and can offer an additional layer of security.

Employ cybersecurity tools: For businesses, it’s crucial to have cyber security systems in place that can detect and block malicious web content.

Given the rise in both the use of QR codes and the sophistication of scammers, quishing is expected to become a more significant threat. Awareness campaigns are crucial, as informed users are the first line of defence against these types of scams.

Individuals need to remain cautious, especially as scammers continue to target mobile devices with QR codes in ever more cunning ways. A recent example involved fraudulent parking meter codes, an industry where QR codes are utilised frequently, leading users to pay parking fees via a fraudster’s account.

For businesses, the consequences of quishing scams can be serious, leading to data breaches, financial loss, reputational damages and eroded customer trust. As such, it remains essential for organisations to educate employees on the dangers of QR code scams and to implement systems like Web Application Firewalls (WAFs) and Secure Email Gateways (SEGs) that help in sifting out phishing attempts.

Quishing is just one of the many dangers in the cyber landscape, and both individuals and businesses must take proactive steps to guard against such deceptive practices.

By staying informed, sceptical, and utilising security tools, we can fend off the malicious intent hidden behind those seemingly innocuous pixilated squares.

Cyber security support from ESA Risk

At ESA Risk, we offer a broad range of cyber security services that can help you secure systems and data, become more cyber-aware, identify breaches, and prepare for and respond to attacks.

For advice and support on making your business cyber secure please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.