Beware of QR code scams: Sophisticated tricks and how to avoid them

QR codes (Quick Response Codes) are everywhere these days, from restaurant menus, billboards, payment receipts to bus and train timetables.

Scanning QR codes has become a common habit, helping users access information quickly with just a simple operation on the phone. However, this convenience has become a double-edged sword when cybercriminals take advantage of the habit of scanning QR codes indiscriminately to deploy a new form of fraud called Quishing.

Criminals can insert malicious QR codes into familiar surfaces or send them via email or text message to lure victims into scanning the code and visiting fake websites, thereby stealing personal information or spreading malware onto the device.

What is Quishing?

Quishing is a form of cyber attack in which a bad actor embeds a malicious URL web address into a QR code to trick users into visiting fake websites.

Instead of leading to a legitimate website, this QR code may redirect you to a phishing site designed to steal logins, passwords, and personal data.

Or sneakily download malware onto your device, allowing hackers to take control, steal data, or lead to websites containing dangerous content.

It may sound simple, but Quishing is a real danger. While you can check the URL before clicking on it when browsing the web, with QR codes you have no idea what is hidden inside. With just a scan, you can be taken to a fake website or forced to download a dangerous file without even knowing it.

Furthermore, users are easily fooled by QR codes because they appear everywhere, from restaurants, cafes, to event tickets, advertisements, making people scan them without suspicion.

Additionally, many businesses use third-party URL shorteners or QR code generation platforms. This means that the embedded link in the QR code does not always lead directly to their official website, making it more difficult to determine which QR codes are safe.

Quishing is not just a potential threat but has happened in real life and proven to be highly effective scams.

Fake QR codes are being used for fraud all over the world. Cybercriminals simply print a sticker containing a malicious QR code and stick it over the legitimate QR code in public places such as restaurants, parking lots, train stations, etc.

How to protect yourself from Quishing?

Quishing is an increasingly sophisticated threat, but you can protect yourself with some simple but effective measures. Here are some key steps to help you avoid falling victim to this type of scam:

1. Use a secure QR code scanner

Prefer the default QR code scanner that comes with your phone (e.g. camera on iOS and Android).

Avoid downloading QR code scanning apps from third parties, as many of these have poor histories with security and privacy, may collect data, or even contain malware.

2. Check the URL address before opening the link

After scanning the code, preview the website address before clicking.

Avoid links that use URL shorteners (like bit.ly, tinyurl, goo.gl), as scammers can hide the real address of the phishing site.

3. Limit the use of QR codes for payment

If possible, avoid paying via QR code, especially if the code is posted in a public place. If the payment link leads to a dubious web address or is not from an official bank/app, stop immediately.

Be careful of fake websites, as cybercriminals often use domain names that closely resemble legitimate websites (e.g., paypall.com instead of paypal.com). Always double-check your spelling before entering sensitive information.

4. Don't scan random QR codes in public places

Avoid scanning QR codes that appear on billboards, flyers, or stickers on payment machines, as they may have been replaced with malicious code.

If you need to scan QR codes from public places, ask staff to confirm the code is legitimate.

5. Enhance security on your device

Turn off automatic downloads in your web browser to prevent malware from being downloaded when you visit phishing sites.

Turn on privacy protection features, like blocking unsafe websites or warnings when visiting suspicious websites.

6. Double check the physical QR code before scanning

Take a close look at the QR code you're about to scan. If it looks like it's been overwritten, edited, or doesn't match the design around it, stay away.

If you see a QR code sticker on a payment machine or in a public place, check for signs of tampering and ask a staff member to verify.

In short, cybercriminals are getting more and more sophisticated in creating Quishing attacks. Always be vigilant, double-check the web URL before clicking, and avoid scanning QR codes from untrusted sources to protect your personal and financial data.