Since the Covid pandemic, QR codes have become a common part of everyday life. The strange boxy barcodes were often used on Covid passes (remember them?) to prove vaccine status.

And now we are familiar with how to use them, businesses are deploying QR everywhere.

What is ‘quishing’?

QR codes are incredibly versatile. You can encode virtually anything in in one of those squares, from website addresses to WiFi passwords to contact details and more. And anyone can make their own using free QR code tools online.

Seeing a new opportunity, hackers are generating QR codes that direct victims to fake websites. Just like a traditional phishing website, the user will then be encouraged to disclose sensitive personal information like passwords or credit card details. Sometimes the victim may also be encouraged to download malware from the site.

So by adding ‘hacked’ QR codes to emails, instant messages or social media replies, hackers can trick people into visiting fraudulent websites.

Why is quishing effective?

There are two reasons why quishing is effective. First, you cannot ‘read’ the encoded website without scanning the QR code, making it hard to identify if the address is legitimate.

Second, it is common practice to use URL shorteners when creating QR codes to make them perform more effectively. But even if your QR code scanner app shows the website address before you visit. It is impossible to accurately determine where the shortened URL points to. Which means you may expose yourself to additional risk by clicking through the link.

How to defend against quishing?

The good news is that defending yourself against quishing is very similar to protecting yourself against regular phishing.

First, never scan a QR code from an unknown source. If attached to an email or message from a known and trusted sender, or printed in a magazine, the code is likely to be safe. But if the image comes from an unknown account, or you see one out in public (stuck to a wall for instance), you should not scan it because you cannot verify its authenticity.

Second, keep your wits about you. If you do scan an unknown QR code. Make sure you do the usual checks of the destination website before entering any personal information or downloading any files. Make the sure the website is secure (check for the padlock icon in your address bar) and that the address itself is correct (facebook.com NOT facebookmail.com etc).

Third, enable muiti-factor authentication on your online accounts. If you are tricked into visiting a fraudulent website and you do disclose your password, cybercriminals will still not be able to use that information. The reason is because they do not have access to your other authentication tools (such as the Google Authenticator app). Hopefully you never find yourself in this position however.

Use your common sense

Despite the emergence of new threats like quishing, many of these attacks can be easily avoided by remaining aware and using your common sense. And remember, you should also download a free trial of Panda Dome to provide backup protection – just in case!