QR Codes once seemed like a novelty, but in a post-COVID world, these scannable squares seem to be everywhere. We pay with them, access restaurant menus, download information for events, and more.
Unfortunately, some cybercriminals now also use the novelty and legitimacy of the QR code to gain access to private information and extort funds. This is called QR code jacking or quishing.
How Does QR Code Jacking Work?
When the victim scans the QR code, they are taken to a website that imitates the expected product or service. This spoofing can be used in many ways, including:
- Stealing your credentials and identity by pressing you to log in.
- Infecting your device with malware, or installing downloaded spyware.
- Using your banking details to steal money from your account.
- Selling your contact information to data brokers and other scammers.
- Scamming you directly through high-pressure tactics (e.g., by impersonating your “bank” or “Microsoft”).
Where Does QR Code Jacking Occur?
This form of phishing is pervasive in two main areas: in the digital world and in public spaces.
The Digital Phish
Some users receive emails from addresses posing as addresses from companies like Microsoft, asking them to input their login details. Usually, this comes with time pressure – a common tactic with scams and phishing attempts – designed to instill panic and prevent rational thought. In the example above, the user is threatened with losing email access if urgent action isn’t taken. Other common examples include:
- Deletion or suspension of an account
- The threat of losing funds, incoming or outgoing
- A limited time offer
- Some form of legal action or arrest
The sites the victim is led to often appear legitimate, featuring “authentic” company logos and design schemes. It can be hard to tell the difference unless you’re truly looking. However, you should always remember that companies and organizations frequently remind users that they’ll never ask for login details or credit card information via email.
The Public Space Phish
Quishing also occurs in public spaces where people are more likely to scan QR codes for information and to make payments. The scammers paste their codes over the original or recreate boards with the same look and feel as the organizations they try to imitate. For example, they may impersonate parking companies or paste fake QR codes over public information signs.
This form of quishing preys on the urgency of users in their daily life, not to mention their trust in such organizations. A commuter is less likely to look closely at a sign to check whether it’s legitimate or notice the QR code has been pasted over. Such carelessness though, can be detrimental.
Staying Safe From Quishing
Now that you know more about this latest variant of phishing, how do you guard against it? Here are some of the major ways to do so:
- Don’t scan because you can – Always think twice before scanning anything with your smart device. Do you really need what this QR code is offering or asking you to do? Ensure that the code you’re scanning is attached to a trusted source. This especially applies to QR codes found in a public spaces or sent via email.
- Be vigilant – If you are scanning a code in public, check the sticker to ensure it’s not superimposed on another. Check that the branding of an advert is consistent with that of the organization doing the advertising. If you’ve received an email with a code, double check the address of the sender and any suspicious endings. A bank with a Gmail account is fishy.
- Check the hyperlink – Any QR code will still take you to a hyperlink. The tried-and-true principle of checking links for phishing applies here, too. Beware of shortened hyperlinks and anything other than what you know to be an organization’s legitimate address. QR scanners offer link previews before you click through. Vet these links carefully by comparing them against the real site.
- Use common sense – Banks will never ask for personal information via email, nor will most companies demand your password. If in doubt about a high pressure tactic like account closure, check with the real organization before scanning.
If you’ve encountered a QR code scam, let the company being imitated know about the quishing attempt. This can help them put a stop to things and save other users from potentially being scammed.
TOP 4 MUST-WATCH FRAUD PREVENTION VIDEOS
1. Top 5 Amazon Scams in 2024 2. Top 5 PayPal Scams in 2024 3. How To Spot a Scam Email in 2024When my sweet old grandmother got caught up in an Amazon gift card scam, I decided then and there that I needed to do whatever I could to inform as many people as possible about the grifters of the world. That’s what I do here – writing about modern scams so you don’t get caught out.