The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warns of two
recent phishing campaigns involving QR codes, known as ‘Quishing’ or QR-phishing.
In quishing scams, cyber criminals generate fake QR codes that mimic legitimate ones
in order to deceive users into providing their personal information, such as login
credentials or financial information. Once the code is scanned, it takes the user
to a counterfeit website where they are prompted to enter sensitive data.
The recent quishing campaigns observed by the NJCCIC involved emails impersonating
IT departments indicating that the user could scan the QR code to initiate updates
or maintenance of 2FA (two-factor authentication). The campaign included two methods
of sending users the fake QR codes, one inserted the code directly in the body of
the email, while the other attached the QR code in a PDF.
Separately, the Better Business Bureau (BBB) recently reported a QR code fraud scheme
in which scammers placed fake QR code stickers on top of legitimate ones in order
to send drivers to fraudulent sites to pay for parking.
Protect Yourself from Quishing Attempts
There are a few different ways in which scammers use QR codes to steal personal information
or commit other crimes:
- You Could Be Directed to a Phishing Website
The website may look legitimate, but you will be prompted to enter personal information,
such as your name, phone number, and credit card number. Scammers then use this to
steal your financial information and/or identity. - Your Device Could Get Infected With Malware
QR codes can be configured to automatically download content onto your devices such
as malware, ransomware, and trojans. Some infections have the ability to track you,
steal your private data, encrypt your device, and even spy on you. - The QR Code Could Send Emails from Your Accounts
The codes can be programmed to access payment sites, monitor social media accounts,
and send pre-written emails. For instance, a fake QR code can create and send emails
from your account if you scan it.
What to Look Out For
There are some signs that indicate if you are dealing with a fraudulent QR code.
- Preview the URL destination before accessing the link on your phone; look out for
URLs that are unreadable or shortened. - Check if you are being directed to a ‘secure’ site, especially if you are asked to
enter credit card or payment information. Secure sites will use HTTPS rather than
HTTP and will have a padlock icon next to the URL. - Look out for red flags on the website, such as mispellings, low-quality images, and
inaccuracies. - Be cautious with QR codes in public places or in the mail. Avoid scanning these as
much as possible to minimize the risk of infection.
If You Accidentally Scanned a Fake QR Code
If receive an email with a suspicious or unsolicited QR code, report it! Click the
“Report Phish” button, located in the top navigation of your email account, to send
the email to IT Security for investigation. If you are unable to find the button,
open a ticket with the Technology Service Desk by forwarding the phishing email to
[email protected].
If you accidentally scanned a fraudulent QR code or provided any information before
recognizing the phishing attempt:
- Disconnect from your Wi-Fi or cellular network immediately. If you downloaded malware
onto your device, turn off any internet connection as soon as you realize the file
might be corrupt. - Change the passwords of any compromised accounts.
- If you’ve provided credit card or banking information, contact your bank and financial
institutions to make them aware of the situation. - Lastly, report the phishing attack to Information Security to receive recommendations for additional steps.
Visit NJCCIC for the latest information on cyber threats targeting New Jersey.
Categories:
Science and Technology
