QR codes skyrocketed in popularity during the touch-free days of the COVID-19 pandemic, and now they’re everywhere. From menus to forms and posters, who doesn’t like these scannable shortcuts to information and fast, frictionless payments?
Now QR codes also serve a much different purpose: as a tool for scammers.
In December 2023, the Federal Trade Commission warned of a new form of phishing. Appropriately coined quishing, the scam leverages QR codes to trick people into divulging personal information.
Online, scammers send emails containing QR codes that store URLs to malicious websites that appear legitimate under the guise of package tracking emails or by impersonating known senders like human resources representatives or CEOs. During the third quarter of 2023, the cybersecurity platform Trellix detected over 60,000 QR code scam attempts in emails alone.
Offline, fraudsters replace legitimate QR codes with fake ones on common locations such as parking meters, menus, or posters. Once scanned, links stored within the QR code may automatically download malware, open payment websites, or bait users into providing their personal information or logins. When bad actors access sensitive data, they can overtake devices or impersonate users, furthering the scam by conning people in the victim’s networks.
QR codes are accessible, but the general public is not aware of their risks. Because QR codes appear as images or PDFs that obscure their URLs, these scams can go undetected by traditional security software. The sneaky tactic also takes advantage of smartphones’ less advanced security measures compared to computers, and scams aren’t on the radar of many consumers who learned to trust QR without inspecting each pixel.
For now, many quishing scams are slipping through the cracks.
The first major quishing campaigns hit in May 2023, targeting Microsoft users at a major U.S. energy company. By late March 2024, the volume of quishing emails spiked more than 2,400%, growing 270% on average each month. That same month, an Osterman Research and Ironscales report found that more than 3 in 4 surveyed companies, including many information technology companies, were victims of quishing within the past year. Paradoxically, nearly 4 in 5 (77%) respondents were “very” or “extremely” confident in their technology to size up security threats.
Cybersecurity firm Abnormal Security found about 9 in 10 (89%) quishing attacks detected by their technology were multifactor authorization requests designed to take users’ credentials, according to their H1 2024 Email Threat Report. The report also found that executives are overwhelmingly targeted by quishing, with 42 times more cyberattack attempts than employees in the first quarter of 2024. Executives may be at increased risk due to their higher levels of security clearance and access to confidential information that phishers desire.
Quishing is “just the first example of many other types of image-based attacks we’re going to see,” Ironscales Principal Technology Strategist Audian Paxson told SDxCentral.
Though savvy phishing scams are harder to spot with the rise of AI-based tools, consumers can feel empowered with greater awareness. Uniqode outlined tips for spotting phony QR codes and steering clear of quishing scams.
Beware of sticker scammers
Fake QR codes can look just like legitimate ones, so watch for any irregularities before you scan. If you notice that a menu or poster includes a QR code with bumps, peeled edges, or that appears stuck on, don’t scan it.
Update your phone OS and apps
The first line of defense against malicious QR codes is ensuring your phone has the latest operating system. Two-factor authentication software that confirms your identity using your cellphone or apps is another important safeguard.
Block automatic downloads
When scammers use QR codes and other image files as vehicles for malware and malicious content, automatic downloads can wreak havoc before users even realize it. Configuring email settings to block images from loading automatically can help protect users and organizations, according to a 2023 Mimecast report.
Don’t engage with unrecognized senders—and double-check those you know
If an email from an unknown sender asks you to scan a QR code, open links, share information, or download documents—just don’t. Detection is trickier when cyberattackers use known brands like Microsoft, Docusign, and Amazon, in part because scammers now leverage companies that are relevant at a given time, such as posing as Amazon ahead of Cyber Monday. If you receive a suspicious email from a known sender, call them and ask for confirmation. In short, if an email seems phishy, don’t engage—report it.
Don’t fall for faux urgency
Quishers use manipulative tactics to encourage immediate action, such as companies asking you to contact them to reschedule deliveries or pretending your account was breached and asking to confirm your information. To avoid a scam, the Federal Trade Commission recommends users preview URLs linked to QR codes for red flags like random strings of letters, misspellings, or switched letters.
Trust your gut
Sharp instincts can also help users avoid the quishing traps. Be wary of improbable deals and emotional appeals, and never disclose personal information like Social Security numbers—the same advice for avoiding most scams.
Before you scan, exercise caution. Just like attachments and links, QR codes can be questionable. AI-based image recognition software may be able to help detect corrupt QR codes, and hopefully security will catch up to scammers. For now, good old common sense also works too.
Story editing by Alizah Salario. Copy editing by Paris Close. Photo selection by Lacy Kerrick.