Have you heard of Quishing?

EAST has just published a Payment Alert about a new form of phishing called Quishing (QR Code Phishing).

What is Quishing?

The use of QR (Quick Response) codes is growing and Quishing involves the use of manipulated or fake QR codes by hackers to carry out fraudulent activities, such as stealing personal information and spreading malware.  A fake QR code may be sent to you in an email or you may scan what you think is a genuine one (criminals stick fake QR codes over genuine ones in places like restaurants and other service establishments).

Once you scan on a fake QR Code:

  • You could be redirected to a phishing website that looks almost exactly like the homepage of a trusted organisation. Because of the familiarity you might feel comfortable entering your personal data (home address, banking credentials, payment card data etc).  Once you do this the criminals can try to steal your identity and financial assets.
  • Your device might become infected with malware, as the fake QR code could have  automatically started a download as soon as you scanned it. This could allow the criminals to spy on you or to use pressure tactics to extort money from you.
  • You could be taken to a fake login portal for an online account (such as a home shopping account to help with a ‘delivery problem’).  Once you login the criminals have your login data for that account and can start to exploit it.

How to protect against Quishing

Here are five things you can do to avoid the dangers of Quishing:

  1. Quishing is a form of phishing, so the same rules of caution apply:  Once you scan a QR code don’t click on any unfamiliar or shortened links and look for slight spelling changes in familiar names or web addresses.
  2. Emails:  Beware of any sense of urgency and never scan a QR code in an email from a sender that you do not recognise (the sender’s email address may not be the same as that of the organisation the criminal is trying to portray).
  3. QR Codes in the service environment:  When you scan a QR code on your phone, a preview of the URL will pop up. Check it carefully and don’t click on any unfamiliar or shortened links.
  4. Login portals:  If a QR code takes you to a page that asks for login credentials, STOP and do not enter your data.  If you feel that there could be a problem with an online account, or with a purchase or a delivery, then always go directly to the genuine website from a secure web browser or call the organisation using a trusted number.
  5. Malware:  To protect against malware from Quishing (or from any other sources), don’t click on suspicious looking links (see the first recommendation above) and always keep the antivirus software on your device regularly updated.

Below is a QR code that should take you the ‘Stay Safe Online’ page on this website.  If you scan it on your device, make sure that you see the URL before proceeding to click on it!

Stay Safe from Quishing

Europol’s Public Awareness and Prevention Guides contain information that can help citizens protect themselves and their property.

The EAST Expert Group on Payment and Transaction Fraud (EPTF) focusses on the security of payments and transactions and covers the prevention of phishing and Quishing within its brief. The 17th EAST EPTF meeting took place on 8 November 2023.

Share this post

Website Sponsors

Euro Kartensysteme
link logo