Stop more threats with Trend Micro Email Security—advanced protection for your inbox!
Quishing, a term derived from “QR code phishing”, is a type of cyberattack where cybercriminals use malicious QR codes to trick people into visiting fake websites or downloading malware onto their devices. These malicious QR codes can be embedded in emails, advertisements, flyer’s and even simply put on top of pre-existing QR codes to target an unsuspecting user. The purpose of this attack is for attackers to steal sensitive information such as passwords, financial data or to infect a user’s device with malware that can lead to further exploitation in the future.
QR codes are designed to make life easier, but this simplicity is what makes them a prime target for cybercriminals. Since the user can’t see the URL hidden in the QR code until after scanning, quishing can be challenging to detect until it’s too late.
A Quick Response code or a QR code is a type of two-dimensional barcode that be easily and quickly scanned by digital devices such as smartphones. QR codes have the capability to store large amounts of data that can then be scanned by a user to share that information usually by opening a webpage, although QR codes can also trigger phone call, text messages and even digital payments. For instance, QR codes have become quite popular in restaurants to provide a digital menu for their customers.
Quishing’s success lies in the psychological tendencies and behavioral habits of its victims. QR codes are widely regarded as convenient and trustworthy, but unfortunately this makes users less likely to approach them with skepticism.
With the rise of QR codes in everyday life, whether that be for restaurant menus, contactless payments, or event check-ins at hotels, people have become comfortable scanning a QR code without a second thought.
Unlike traditional phishing links, QR codes obscure the actual web address they lead to which makes it difficult to verify their legitimacy at a glance.
Cybercriminals often craft messages that create a sense of urgency, such as warnings about account security or offers of exclusive deals, prompting users to act impulsively.
These factors, combined with the inherently visual and interactive nature of QR codes, make quishing a particularly effective attack vector.
Quishing attacks usually involve replacing legitimate QR codes with malicious ones. These fraudulent codes can appear in various places such as posters, at payment terminals, restaurants or even in emails and text messages. Once the QR code is scanned by the target, they will be brought to a malicious website designed to steal their personal information or to trick them into downloading harmful software.
In some cases, scanning a malicious QR code doesn’t just lead to a fake website as it can also trigger the download of malware onto your device. This opens the door for cybercriminals to steal your data, spy on your activities (spyware), or even lock you out of your system until you pay a ransom (ransomware). QR codes in phishing scams are particularly dangerous because the user might not realize their device has been compromised until it’s too late.
Anyone can fall victim to quishing, but certain groups are more at risk. For instance:
Travelers: Tourists often rely on QR codes for navigation, payments, and accessing information in unfamiliar places.
Elderly users: Elderly people are often a target of these types of cyberattacks as they are typically more unaware of these types of phishing techniques.
Mobile users: With the convenience of mobile payments and online transactions, QR codes make it easy to pay quickly but also more easy to become a scam victim.
Businesses and employees: Companies using QR codes for contactless services may unknowingly expose themselves or their customers to these attacks.
Here are some signs to look our for to avoid a Quishing attack:
If a QR code appears damaged, misplaced, or out of place, it’s best to avoid scanning it. Cybercriminals often place their own QR stickers over legitimate ones.
Be wary if you’re suddenly asked to enter personal details, financial information, or download software after scanning a code.
Verify QR codes promising rewards, discounts, or prizes—they could be traps. Scammers often use enticing offers to lure victims.
Inspect the URL embedded in the QR code. If it is excessively long, convoluted, or contains random characters, it could lead to a phishing site. Also you should avoid sites accessed through a QR codes that request payments and instead enter a known and trusted URL for transactions.
Be skeptical of QR codes that ask for excessive permissions (e.g., access to your camera, contacts, or location) beyond what is necessary.
A common Quishing attack is the parking meter scam that has been highlighted by the Better Business Bureau (BBB), that involves cybercriminals placing fake QR codes on parking meters or payment terminals. Driver that might not be carrying any cash on hand, might scan the code to pay for parking, only to be directed to a fraudulent site that asks for their credit card details. The victim may not realize they’ve been scammed until days or weeks later when unexpected charges start appearing on their statement.
Another growing threat involves scammers impersonating legitimate utility companies or government agencies using fake QR codes. Victims receive what looks like official communication, urging them to scan the code to pay a bill, but instead of paying their bill, they are directed to an imposter site that is designed to steal their financial information.
Think before you scan! Here are some practical tips to help prevent both you and your organisation from a Quishing attack:
If you encounter a QR code in a public space, such as a business or restaurant, it’s always a good idea to confirm with an employee before scanning. As the BBB suggests, pay particular attention to any signs that the QR code might have been tampered with.
Scammers are increasingly using fake QR codes in phishing emails or text messages. Never scan a code or click a link sent by an unknown sender.
Some QR code reader apps provide a preview of the URL before redirecting you to a website. This extra step can help you assess whether the link is trustworthy before proceeding.
Keep your device’s security software up to date, as this can help detect and block malicious downloads that may result from scanning a harmful QR code.
When using QR codes for payments and especially if you're in an unfamiliar location, you should verify that the payment terminal or website is legitimate before entering any financial information.
Trend Micro™ Email Security screens out malicious senders and analyzes content to filter out spam. It examines sender authenticity and reputation and defends against malicious URLs.
Cross-generational threat defense techniques bolster protection against threats, establishing visibility and control across evolving threat landscapes.