Payment Dispute Standards and Compliance Council

Menu
  1. Home
  2. Research and Trends

Blog

Quishing: The New Threat Lurking in QR Codes

Research and Trends, Uncategorized

Many of us are familiar with ‘Phishing’, but have you heard of ‘Quishing’? Quishing is a type of fraud where criminals use QR codes to lead victims to malicious websites. Once there, the attackers can steal sensitive information or infect the victim’s device with harmful malware. Action Fraud, the national fraud reporting centre investigated more than 1,200 Quishing scams over the past three years, indicating a steep rise in this method of fraud.

How Does Quishing Differ to Phishing?

Phishing has been a common tactic for many years, where cybercriminals trick victims into visiting malicious websites by sending fake emails or text messages that appear to come from trusted organisations. The aim is to lure victims into clicking on a harmful link, leading to the theft of sensitive information or the installation of damaging malware which can be used to spy on, or gain control of a device.

While both Phishing and Quishing share the same end result, the key difference lies in the method used by the scammers: Quishing uses QR codes instead of links in emails or texts. This method has grown in popularity, especially since the COVID-19 pandemic, when QR codes became widely used in restaurants and other settings to minimise contact. QR codes are now widely used across different industries for seamless access to digital information, services, and payments, from restaurants and retail to healthcare, events, and marketing, giving cybercriminals a new, convenient way to target their victims.

QR codes can look identical to the untrained eye, making it easy for unsuspecting individuals to be tricked into scanning a malicious code. For scammers, this approach also simplifies the process – there’s no need to craft a convincing fake message, just a well-placed QR code that can easily blend in with legitimate ones. As a result, Quishing is becoming an increasingly popular tool for cybercriminals to exploit.

Quishing Scenarios

Quishing attacks can occur in various scenarios. Here are just some of the ways scammers use QR codes to lure their victims into fraudulent schemes.

  • Free Wifi

Restaurants, hotel lobbies, bars, hospitals, and other public places often display notices with QR codes, offering free Wi-Fi to their customers or visitors in waiting areas. Scammers take advantage of this by placing fake QR codes in these locations or by covering legitimate ones with their counterfeit versions.

  • Parking Ticket Machines

To make parking payments more convenient, companies often display a QR code on their machines which leads the customer to a payment portal. Scammers exploit this by covering the legitimate QR code with their fraudulent version.

  • Offers/Incentives

Legitimate merchants frequently use QR codes to direct customers to special offers or incentives on their website. Scammers, however, can create convincing fake advertisements with fraudulent QR codes, luring unsuspecting customers to malicious sites.

  • Emails or Text

Scammers impersonate legitimate companies, such as banks, online merchants, or delivery services through fraudulent emails or text messages. These messages contain deceptive QR codes that direct customers to malicious websites, where they are tricked into providing sensitive information or downloading malware.

The Challenges of Quishing

In addition to the obvious end result of fraud, Quishing attacks present several other challenges. They are much harder to detect and block compared to the more traditional Phishing methods of fraud. Security is compromised because victims scan the QR code with their device, which may lack anti-Phishing defences or antivirus software. Additionally, spotting malicious QR codes is more difficult than recognising a suspicious link in a message. This is because the URL is often hidden until after the scan.

How Quishing Affects Consumers

Quishing can result in serious consequences for consumers. By scanning a malicious QR code, followed by either a malicious link or fraudulent questions, they may unknowingly divulge personal, sensitive information the scammer is hoping for, such as passwords, financial details, or personal credentials. This can lead to identity theft, unauthorised financial transactions, or the installation of malware on their device. As QR codes often appear in trusted environments such as restaurants or other public spaces, consumers are likely to let their guard down, making it easier for criminals to exploit them.

In addition to this, if consumers fall victim to Quishing scams, they may not receive the goods or services they expected, leading to chargebacks against merchants. This not only results in a financial loss for the consumer but also creates complications in resolving disputes with their bank or card provider.

How Quishing Affects Merchants

Merchants may also take a hit as a result of Quishing. If malicious QR codes are placed in, or around their business – either by criminals or through their accidental use of compromised codes – it can severely damage their reputation and customer trust. Customers affected by these scams might blame the merchant, even if the merchant is unaware of the malicious activity.

Furthermore, if consumers raise chargebacks due to not receiving goods or services as a result of Quishing, merchants may face financial losses and additional burdens in managing these disputes. In an increasingly digital landscape, ensuring secure and legitimate QR code use is essential for merchants to protect their business and maintain healthy customer relationships.

How to Prevent Quishing Attacks

To prevent Quishing attacks, both individuals and businesses should take precautions through a proactive approach, combining awareness with technical measures when using or creating codes.

When scanning a QR code:

  • If you receive a QR code from a suspicious or unknown source, avoid scanning it.
  • Look out for tampered QR codes, especially in open spaces such as car parks or train stations – these could be visible stickers that have been placed over genuine codes. If in doubt, look for the official website and use this instead, to make a payment.

If using a downloaded app to scan a QR code, always ensure the app offers additional security features. Alternatively, use the built in scanner that comes with your phone.  

When creating a QR code for a business:

  • Ensure you use a reputable QR code generator that offers additional security features. Avoid less well-known code generators or ones with bad reviews.
  • Double check your content to ensure that the QR code contains the correct information, and if it leads to a link, confirm the link to ensure it leads to the correct website.
  • Make regular checks by testing your QR code regularly. This will ensure that it has not been tampered with and remains legitimate.

As Quishing attacks become increasingly prevalent, both consumers and merchants must remain vigilant to protect themselves against this evolving threat. By understanding the risks associated with QR codes and implementing effective preventive measures such as educating themselves and others about secure practices, they can mitigate potential harm. Ultimately, remaining aware and exercising caution will not only safeguard personal information and financial assets, but also help maintain trust in the digital landscape, ensuring a better environment for both consumers and merchant alike.