Quishing turns QR codes into dangerous attack vectors. Here's how to stay safe.

What is a quishing attack? How does this exploit work, and what can you do to protect yourself from being targeted? Let's learn how squishing puts your devices and data at risk.

What Is Quishing?

Quishing, also known as QR code phishing, represents a phishing technique that involves QR codes to trick potential victims. Similar to other types of phishing attacks, the purpose is to steal sensitive information, install malware on your device, or make you visit a website.

Malicious individuals rely on QR codes becoming more popular, especially during the pandemic, when people got used to their use.

How Does Quishing Work?

Firstly, hackers plan a quishing attack by creating an innocent-looking QR code. There are plenty of online tools to create a QR code, and you can even make a QR code on your Android phone.

QR codes can redirect you to false payment portals, malicious links, or host virus-infected documents. Hackers place malicious QR codes in places where victims are likely to scan them to achieve their goals. So QR codes placed on posters, flyers, and phony advertisements at public places might hide a phishing attack. This includes restaurants, malls, parks, and airports.

How Can Quishing Affect You?

Because hackers use QR codes, you may not realize you’ve been a victim of a quishing attack until it’s too late. So you should know how quishing can affect you.

1. You Might Be Redirected to a Phishing Website

The scanned QR code might send you to a website designed to closely mimic the content you might expect. This way, hackers convince you to provide private information such as your phone number, email, or credit card number.

2. It Could Be a Malware Attack

QR codes can also host content such as malware, ransomware, or even Trojans. This software can be configured to automatically download and install on your device as soon as you scan the QR code. Hackers can install new software on your device, steal private information, or track your activity.

Besides installing malware on your device, scanning a QR code may cause you to lose control of your social media accounts. For example, scanning a QR code might install software that will send emails from your account or message people on social media platforms such as Instagram, WhatsApp, and so on.

How to Prevent Quishing Attacks

Not scanning any QR codes ever again might be a bit too much. However, there are a few ways to protect yourself against quishing.

1. Preview the URL

Before accessing the QR code destination, your device will preview the link. If the URL has been shortened and there’s no way you can tell what’s the destination, it’s better to stay away from it.

Additionally, check the security protocol as most secure websites use the HTTPS protocol instead of HTTP.

2. Check the QR Code Destination

If you’ve already accessed the website, take a look at the URL. If you notice any misspelled words, poor use of language, or low-resolution images, chances are it’s a phishing website. Also, if the site’s content creates a sense of urgency, or even demands immediate action, it’s better to leave the website.

3. Use Your Built-In QR Scanner

When in a rush, you might download a third-party app to scan a QR code or look for an online scanner. However, these tools might be developed and used by hackers to perform a quishing attack. To avoid it, we recommend you use your phone’s built-in QR scanner in the camera.

Quishing Explained

Similarly to other phishing attacks, quishing represents a serious threat to individuals and businesses. If you’ve been the victim of a quishing attack, it might take days, or even weeks until you figure it out. This is why you should think twice before scanning a QR code from an unverified source.