You may have heard of phishing before, where cyber criminals trick you into clicking on malicious links & attachments, but have you heard of Quishing?
Quishing is very similar to phishing, with the main difference being the use of QR codes. Scanning a Quick Response or QR code is convenient and easy. It's also contactless, making people feel safer in public places such as restaurants, many of which substituted the codes for paper menus.
QR codes can be linked to almost anything, websites, apps, documents, pictures, social media & even WiFi connections. This versatility has, unfortunately, made them a target for cybercriminals.
There are two main ways criminals are exploiting their popularity:
Replacing genuine physical QR codes with their own – you will be directed to a malicious credential stealing one rather than the legitimate one you were expecting.
Sending QR codes via email – just like ordinary phishing criminals will attempt to get you to go to a malicious site via a QR code instead of a direct link. Most email services will not detect the malicious link embedded in the QR code, meaning it is less likely to be flagged and sent to your junk folder.
How can you reduce the likelihood of being a victim of quishing?
Before scanning a QR code, ensure you trust the person or organisation asking you. If you are redirected to a website, DO NOT put any personal or financial information into the site unless it has a 'padlock' next to the web address & an 's' at the start of the address, e.g. 'HTTPS'.
There never really is a need to scan a QR code in an email, as a link is typically provided. To spot quishing & phishing email attempts, look out for the following:
Is the email addressed directly to you, or is it vague?
Does it contain a threat to act urgently?
Are the logos and images of the quality you would expect?
Are there errors in spelling, punctuation and grammar?
Is the sender's name & email address legitimate or different to what they should be? (Micr0soft, Twittter)
Banks & reputable organisations will not ask for personal or financial information over an email – call them to confirm.
If it sounds too good to be true, it probably is.
You can report phishing & quishing attempts to firstname.lastname@example.org where the fraudulent email and links may be taken down.