Quishing

What exactly is quishing?

Quishing is a form of phishing in which QR codes are used to lure victims to fake or malicious websites. “Quishing” is made up of “QR” (for QR code) and “phishing”. The attackers pretend to be using a legitimate application, but the QR code leads to a malicious website through which the attackers attempt to obtain personal information such as passwords, credit card details or login data. An example would be a fake QR code displayed in a parking lot. The victim scans the code thinking they are paying for parking, but is redirected to a phishing site that steals sensitive information or infects the device with malware.

How does quishing work?

Quishing begins with the creation of a manipulated QR code. This QR code contains a malicious URL that is often hidden or disguised as a legitimate link. Below are the most common steps of a quishing attack: Creating a QR code: Criminals create a QR code that leads to a malicious website. Placement of the QR code: The code can be placed in physical locations (e.g. posters, letters, tickets) or digitally in emails, social networks and other communication platforms. The user scans the code: Once the code is scanned, it redirects the victim to a fraudulent website, which may look like a legitimate website, such as a bank, payment service or a well-known online portal. Target: On the fake site, the victim is asked to enter confidential information or download files. In some cases, malware is loaded directly onto the device when the code is scanned, without the victim having to actively download anything.

How can you protect yourself against quishing?

There are some important measures to protect yourself from quishing attacks: Avoid scanning unknown QR codes: be careful when scanning QR codes, especially if they appear in unexpected or unusual situations, such as on emails or letters from supposedly well-known companies. Check the URL before you access it: Many mobile apps offer the option to view the URL before you access it. Make sure the URL is trustworthy and secure before proceeding. Use a security application: Use security software specifically designed to scan QR codes for potential threats before accessing them. Avoid entering sensitive information: Do not enter personal or financial information on websites accessed via a QR code unless you are absolutely sure the source is trustworthy.

Where does quishing occur most frequently?

Quishing can occur wherever QR codes are used. Here are some of the most common locations Emails: Quishing codes can be embedded as attachments or images in phishing emails. Social networks: Fraudsters often place QR codes in posts or messages that supposedly lead to legitimate offers or information. Public places: QR codes on billboards, parking meters or other physical objects can be manipulated. Letters or invoices: Fake QR codes can appear on documents that look like invoices or requests for payment.

What are the risks of quishing?

The risks of quishing are manifold and can have serious consequences: Identity theft: Personal information such as name, address, date of birth or social security number can be used by criminals to steal the victim’s identity. Financial fraud: Attackers can tap into bank or credit card information and use it for fraudulent transactions. Malware infection: The QR code can trigger the download of malware, which then infects the victim’s device and accesses sensitive data or blocks access to the device. Theft of access data: A common target is access data, which criminals can use to access email accounts, bank accounts or social networks and commit further fraud.

Cookie Consent with Real Cookie Banner