Experts are warning of the latest cyber threat to smartphone users – quishing.
Quishing uses the humble QR code to carry out a phishing attack, usually either to trick people into revealing sensitive information or infecting devices with malware.
In 2019, the QR code – short for quick response – was all but extinct. Invented in 1994 to track vehicles during manufacturing in Japan, they had slowly spread across the globe and were expected to take off in an increasingly digital world.
However, even after Apple gave the iPhone a QR code scanner in 2017 they were still far from ubiquitous – until Covid arrived, and suddenly we were scanning them left, right and centre to prove we were virus-free or get into restaurants.
With the habit still strong and QRs everywhere from loyalty cards to adverts on the bus, cyber criminals are jumping on the bandwagon.
‘Everyone with a smartphone happily scans a QR code, whether that be at a restaurant or museum or even to tip buskers on the street,’ said quishing expert Tim Callan, chief experience officer at technology firm Sectigo. ‘While QR codes do have their benefit, their rising popularity means they have also entered into the cybercriminals’ arsenal of weapons.
‘It is worryingly easy for bad actors to falsify links and addresses. A bad QR code could infect your device or make you click on a link to a dangerous website.’
To avoid falling for a quishing scam, Mr Callan recommends avoiding QRs you can’t fully trust.
‘To avoid quishing scams users shouldn’t scan any QR codes where you cannot easily verify the identity of the end user,’ he said. ‘Think carefully before scanning QR codes in public places, such as for promotional posters, stickers and adverts. Consider instead looking up the organisation directly through a secure browser.
‘Treat what you see in sites you access through unsolicited QR codes with a grain of salt, and be very careful about installing software or sharing information on the sites they link to.’
However, it is not just QR codes in public places that cannot be trusted. Scammers and hackers can also send them direct to your inbox – bypassing any virus protection you may have in place.
‘This innovative approach serves as a warning sign to organisations as well as the general public, reminding us of the importance of staying vigilant and informed in the face of emerging cyber threats,’ said Raluca Saceanu, CEO of Smarttech247.
‘The modus operandi of [a recent major] recent attack involves phishing emails posing as urgent Microsoft 365 account updates. These quishing emails feature PNG or PDF attachments containing QR codes, which recipients are prompted to scan to purportedly verify their accounts within a tight timeframe of 2-3 days.
‘The clever use of QR codes embedded in images enabled attackers to bypass email security scans for known malicious links, ultimately reaching the target’s inbox.’
Ms Saceanu warns anyone who receives a QR code via email to be cautious, especially if the message stresses urgency. Cyber criminals often succeed by generating a sense of panic in their victims, so people act quickly without checking.
She adds to always verify the source of the email – remember, even though at first glance it may appear legitimate, cyber criminals can easily spoof email address. Look at the address itself, not just the name of the sender. Even if that appears believable, a quick search of the address may highlight anything untoward. Compare the style of the email address given with those you have previously received from the company or you can see online.
For example, the courier Hermes makes clear on its website any contact from its UK arm will come from addresses ending @evri.com, @hermes-europe.co.uk or @myhermes.co.uk, but a recent scam warning of an unsuccessful package delivery came from shipping@hermescourierexpress.com.
However, while cyber criminals are trying to use smartphones as a vehicle to personal information, your device is also a line of defence.
‘Your smartphone can be your ally in this battle,’ said Ms Saceanu. ‘Most QR code scanners will prompt you to confirm the destination URL before opening a browser, adding an extra layer of security.
‘Keep your smartphone’s operating system and apps up to date to ensure you have the latest security patches.’
And remember. Check, then double-check. Be sure you know what you’re clicking on before hitting the button.
MORE : In praise of the password – the key to your digital kingdom
MORE : How to spot a scam email and protect yourself, with advice from ex-hacker
Get your need-to-know
latest news, feel-good stories, analysis and more
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.