Summary
- Quishing is a digital threat where malicious URLs are embedded in QR codes to steal your information or infect devices.
- QR codes used for parking meters, restaurant payments, and promotions are being tampered with.
- To protect yourself, use default QR scanners, verify URLs, avoid unknown payment links, and enable browser privacy settings.
QR codes are everywhere now: from restaurant menus to public transport timetables, everyone wants you to scan their QR code. This normalization of scanning random QR codes is being taken advantage of, presenting a new cybersecurity threat called Quishing.
What Is Quishing?
Quishing (QR code phishing) means embedding a malicious URL in a QR code. Rather than link to a legitimate site, the code will load a page that attempts to steal information, attempt to infect your device with malware, or perform some other harmful act.
It’s a silly-sounding name, but it presents a real threat. While we’re all aware that you shouldn’t visit disreputable websites or download unknown files, due to the nature of QR codes, there’s really no way of really knowing what’s on the other side of one. With a scan and a tap, you’re whisked away to a website that may display content you did not want to see, or redirected to a malicious file download.
It’s easy to be tricked into scanning a QR code, too: many businesses rely on third-party services and URL shorteners to create their QR codes, meaning that the embedded links won’t necessarily lead directly to their official websites. This makes it difficult to detect whether someone performing a quishing attack has tampered with a QR code.
Is Quishing Really a Threat?
Yes. It’s already happening, and it’s effective. QR codes for parking meters, restaurant payments and tip systems, and for fake promotions are being tampered with worldwide to perpetuate quishing scams, often by simply placing a sticker with a fraudulent QR over an existing official code. These trick codes then link to fake login pages and payment sites that either have you pay the scammer directly, or steal your information (which can be used to steal your money later, or push other scams).
How To Protect Yourself From Quishing
There are a few effective steps you can take to protect yourself from quishing:
- Use the default QR code scanner that comes with your device. QR scanners from app stores have a poor track record for security and privacy.
- Verify the address a QR is trying to send you to before opening the link, and avoid opening links that use URL shorteners.
- When possible, avoid using QRs to pay, especially if the payment link leads to an unknown address. Keep in mind too, that fake websites often use similar sounding names to official ones, so check the spelling!
- Don’t scan random QR codes in public.
- Enable privacy protection and turn off automatic downloads in your web browser.
- Look at the physical QR code you’re scanning. If it has obviously been tampered with, stay clear.
Making a QR Code for Your Business? Make It Safe
If you’re creating a QR code for use in your business, there are a few ways you can make your customers comfortable and secure using it. First, consider whether you need a QR at all—forcing people to pull out their phones, fiddle with their camera, and wait for your website to load is much less convenient than a simple printed menu.
If a QR is vital to the experience, make sure it links directly to a page on your official business website. URL shorteners mask the intended destination, and are known to inject ads or redirect your QR to their own pages. You should also periodically check your physical QR codes and make sure no one tampers with them by placing a sticker of their own code over them to try and catch your customers in a quishing attack.
Your mobile device contains your entire digital life, so it’s important to keep it secure and utilize all the privacy features it offers. Check out our top 7 Android security features, and our 8 iPhone privacy features to find out how you can better protect yourself.
Source link
