Quishing: Understanding the threats behind QR codes

Despite being almost three decades old, QR codes took a little while to gain traction, however they are now a very familiar part of our lives.

These (sometimes) square-shaped black and white symbols were invented, not as a high-tech tool for smartphone users, but for something as practical as tracking automotive parts on a Toyota assembly line.

However, it's not just the efficiency of QR codes that has caught the world's attention. With their resurgence during the pandemic—they found a new lease of life in hospitality venues for contactless ordering, advertising, posters, sign-ups, and even business cards—they've also opened a Pandora's box of security threats, primarily Quishing (sometimes QRshing) or QR Code Phishing.

Understanding Quishing or QR Code Scams

Quishing is a method by which cyber criminals exploit QR codes to mislead individuals into divulging personal information or downloading malware. The crux of Quishing lies in the QR code's opacity to the human eye; unlike URLs, which can be read and evaluated for legitimacy, QR codes are indecipherable without a scanner.  

The pain points of QR codes

The most significant pain point is the inability to preview the URL embedded within a QR code. Unlike hovering over a hyperlink on a computer to see where it leads, scanning a QR code typically takes users directly to the destination without the opportunity for appraisal. While some advanced QR scanner apps offer malware and URL checking, this is not universally known and can diminish the convenience that makes QR codes so appealing in the first place by opening your camera app and simply clicking through.

The increasing sophistication in QR code design now allows for the incorporation of appealing visuals or artistic elements, effectively camouflaging the fact that it’s a QR code at all. Users may scan a QR code accidentally out of admiration for its design, unwittingly initiating a download of malware or being redirected to a phishing site. While some of these “art pieces” don’t always scan well with every scanner – that’s the beauty part of Quishing – it’s the same numbers game that traditional phishing relies on; if only a few out of 100s get caught out, it’s worth every penny to the scammer.

Navigating the threat landscape

With the ease and ubiquity of QR codes comes a responsibility to navigate their associated risks. Users must be vigilant and critical of where and when to scan a QR code. While businesses and platforms are beginning to integrate security measures or use third party ordering apps, the onus remains on the individual to exercise caution for their own data and finances.

The phenomenon of Quishing serves as a reminder that even the simplest of technologies can be repurposed for nefarious means. It's a call to both users and organisations to prioritise security instead of the pursuit of convenience, ensuring that the QR codes remain helpful tools rather than becoming gateways for cyber threats.  

Strategies for organisations

  1. Use a unique but short URL, and have this written near the code for those who choose not to scan
  2. Ensure your website is SSL/TLS protected
  3. For repeat customers, unique codes can be offered
  4. Check that QR codes at your establishment haven’t been tampered with or overlaid with a sticker

Strategies for individuals

  1. Download a specific QR scanning app that has the ability to scan for malware  
  2. Check the URL that the code sends you to or check with a staff member
  3. Don’t give out personal or sensitive information like date of birth or credit card details – use a third-party payment system if you are purchasing something
  4. Install antivirus and antimalware software on your device

Tell us what you thought of the material by completing a quick survey.

with Bec & Benji