That’s not a typo. The title is not missing an ‘S’. Quishing is a new term, made by combining “QR code” and “phishing”. Like smishing, it’s yet another deceptive practice that scammers are using to take advantage of people. Here’s what you need to know, to be safe out there:

QR Codes

this is not a quish, my QR code is safe to use!

QR (quick response) Codes are those delightful Bladerunner-esque hieroglyphics that you see on windows and doors of businesses. Scan a QR code, and it will quickly take you to a website, an app download, or some other useful internet function. And as society gets more comfortable with using them, they’re coming into play in many more places:

  • Restaurants, for viewing menus
  • Parking meters, for instant/electronic payments
  • Hospitals, for health app downloads
  • Storefronts, for advertising/promotional offers
  • Malls and public space, for connecting to free municipal Wi-Fi
  • Product packaging, for access to nutrition/safety info

I’ve previously blogged about using your camera on QR codes, and also how easy it is to make your own QR code, for free. Well, as QR codes become more commonplace, scammers are looking for their angle. These opportunists are finding it handy to use QR codes as they phish, because a QR code hides the URL or true intent from the human eye.

Where Quishing Occurs

Quishing is when a bad guy creates a QR code of his own, and places it somewhere (often in public), to get unsuspecting people to scan it. Since a QR code can link to anywhere on the internet, a quish could lead your phone to:

  • a phishing (impostor) website
  • a dangerous app download
  • a bogus Wi-Fi hotspot
  • malicious sites or advertisements

There’s not a lot of data yet on how common quishing attacks are, but there are reports of specific incidents out there. Austin, TX had a scam last year, where a quisher put his own QR code stickers on their parking meters. When people scanned those bad codes, they were taken to a fraudulent app that tricked them into paying the quisher. Another BBB article references where a student received a bogus financial aid letter in the mail. The printed QR code linked to a phishing website, bent on stealing his money.

Besides quishing stickers appearing in public, unsafe QR codes are also being used in phishing emails. These messages present as if your account needs attention and that you can scan the included QR code to sign in. But scanning that QR code leads the victim to a convincing fake website that asks for your email and password. Someone tricked in this manner will deliver their login info directly to cybercriminals.

For more quishing examples, check out this BBB article.

How to Be Safe Against Quishing

Don’t Panic. Quishing, while dangerous, is probably not going to shanghai if you remain mindful as you use QR codes.

  • Before scanning a QR sticker, judge it for legitimacy. Does it look clean and professional? Is there anything sloppy or suspicious about it? If so, trust your gut and look for a URL to type in or some other way to access the info/website/function. Or ask a legitimate employee about the QR code.
  • After scanning a QR code, confirm that you are where you expected to be. If you’re in a bakery, scanning a QR code for a chance to win a free cheesecake, you should be alarmed if instead you see an ad for dating hot singles in your area. If any weird pop-ups or downloads jump onto your screen, do not cooperate with them. Close those apps, or reboot your phone to get away from them!
  • Notice the URL of any website that comes up from a QR code. Does it match what you expected? Scanning a code at Starbucks should take you to a URL with “starbucks.com” in it, not “starb-buckss.tw”.
  • Do not sign-in to any unexpected password prompts, after using a QR code. Only enter sensitive information if you are 100% certain of the QR code’s trustworthiness. Double-check with anyone in authority where the code is posted, for peace of mind.