A new type of online scam called "quishing" has emerged. In these quishing attacks, cybercriminals try to fool people into scanning a special barcode on their phones or computers. When someone scans this barcode, it takes them to a fake website. This fake website can do two bad things: it might secretly install harmful software on their device, or it could ask for private information like passwords or credit card numbers.
QR codes are square barcodes that can be scanned by a digital device to instantly direct end-users to a website, download an application, authenticate online accounts, or send and receive payment information. Since almost all digital devices now have built-in QR readers, they are frequently used in marketing and advertising campaigns. While this increases their popularity, it also poses a security risk as cybercriminals exploit these codes to deliver phishing attacks via malicious links.
Some of these scams and phishing campaigns have pretended to be from Microsoft, talking about security updates or the maintenance and updates of Two-Factor Authentication (2FA) and Multi-Factor Authentications (MFA). Others have posed as someone from within the victims’ companies and asked for signatures on fake confidential documents.
In all these scams, the QR code is right in the email, and sometimes it looks like it will take you to Bing.com or Google.com. But when you click the link, it actually takes you to a bad website made by cybercriminals. So, it's important to be careful when you see QR codes in emails or messages from unknown sources to avoid falling into one of these traps.
How to avoid falling for these quishing attacks
Avoid scanning QR codes included in emails, even those that appear to be sent from known or trusted contacts, without first verifying the legitimacy of the communication. Additionally, follow the tips below to look for signs of tampering and avoid falling victim to a QR code scam.
- Avoid scanning QR codes from unknown sources.
- Check the safety tip "You don't often get emails from..." added to certain emails by the email client you use. This banner warns you when you receive emails from someone you do not usually get messages from.
- If you receive a QR code from a trusted source via email, contact the known "sender" by different means—such as a different email address you are familiar with or by phone—to confirm that the message and content are genuine (many of these messages use forged sender addresses).
- Review and verify the associated URL before navigating to the website. Some digital device cameras can read and expose hidden URLs. Before opening the link, check if the domain name matches the legitimate URL. If it appears suspicious, avoid clicking the link.
- Avoid using third-party applications to scan the QR code. Almost all digital devices have a built-in QR code scanning capability within the camera app itself.