Quishing: QR code fraud

QR codes have become an integral part of our daily lives. They can be found, for example, in emails, letters or in public places. Cyber criminals now use these QR codes for phishing attacks. This threat is known as “quishing.”

Quishing is a scam that criminals mainly use on the Internet. It comes from combining the terms QR code and phishing. 

Quishing emails usually contain an urgent call to action, an example of which would be: “Immediately scan this QR code to update your personal information and password, otherwise your bank account will be blocked.” Unlike phishing, however, this is not done via a link, but by scanning a QR code with your smartphone. Quishing is basically a form of phishing.

What is a phishing attack?

The term phishing  is composed of the words “fishing” and “phreaking” (hacking). In a phishing attack, cyber criminals attempt to obtain sensitive information such as passwords, credit or debit card details, telephone numbers or other personal information of individuals or companies. They are very clever and also use phone calls or one of the following channels in advance:

• e-mails
• Text message
• Social media (WhatsApp , Instagram, Facebook Messenger, etc.)
• Websites:

Quite often, criminals contact their targeted victims by email. The processed emails look very similar to actual reputable senders (e.g. banks, logistics services, etc.), as the wording and layout of the real companies are usually imitated in a deceptively genuine way.

For example, scammers will ask recipients to update their bank login details. If this does not happen directly, they threaten to block an account. Often flimsy reasons are given, such as maintaining the security of the account. The email contains a link that recipients should click on that will take them to the fraudulent website and ask them to enter their bank login details. What those contacted do not yet know: The portal does not come from their bank, but from cybercriminals who use this scheme to gain access to their victims’ bank account details and thus their victims’ bank accounts. This is just one of many examples.

How does QR phishing work?

Quishing involves offering malicious QR codes, often on restaurant menus or as a means of payment. They cannot be identified with the naked eye as harmful. Scanning them takes you to the wrong site, where you are usually prompted to enter your payment details. Victims are often in a hurry, wanting to pay or get things done quickly. The important verification of the authenticity of the site often does not take place.

Almost always, criminals also use social engineering to build trust with their victim. As soon as the criminals trick the recipient into scanning the QR code with their smartphone, for example to collect a prize from a game of chance, they are taken to a phishing site.

In order to collect their prize, scammers ask their victims for personal information such as first & last name, address, email address, date of birth and credit card details. In some cases, the login details of certain Internet accounts of users can be accessed. Once the victim has disclosed all their sensitive information, cyber criminals use it for:

• Ransomware attacks
• Identity fraud
• Financial fraud

Quishing is significantly more difficult to detect and block than normal phishing. Instead of a link embedded directly in the text of the message, which is easier to detect by IT security programs, a quishing attack uses QR codes that are only read by the security programs as images and are therefore not recognized as a threat. In spite of security protection, the quishing emails end up in your mailbox, where they are more difficult to expose as a hacking attack, even for the human eye, as the URL is not directly visible.

How can you detect a quishing attack?

There are different ways you can detect a quishing attack. Including:

• Take a close look at the sender:  Phishing and quishing emails often use fake copies of the email addresses of the company they claim to be. Sometimes the names of the email addresses have no relation to the name of the company, which is obviously suspicious. Check that the email address matches the company and make sure there are no spelling mistakes or zeros in place of O’s. Be skeptical about all the emails you receive.
• Check the text: Phishing and quishing emails are generally aimed at manipulating users by means of certain methods. They usually create a kind of urgency in the text messages to maximize the success of the attack. Often, they also use artificial intelligence to copy the writing style of a particular company, for example. That’s why you should be cautious about emails asking you to take immediate action.
• Check the QR code: QR codes are often sent in emails as an attachment, e.g. in an invoice or as a picture. Check the QR codes for any abnormalities: For example, is the company logo missing, is it flawed or is the placement unusual? If you’re not sure, you can also try using your phone’s preview mode to see where the link leads. To do this, hold your camera over the QR code and look at the link at the bottom of your screen, but don’t click on it!

Criminals pretending to be a Swiss bank sent letters with a QR code to thousands of households in Switzerland this year. They were asked to scan the code in order to reactivate the photoTAN for online banking, allegedly for security reasons. They threatened that customers’ online banking would be blocked if the QR code was not scanned within a certain period of time. Those deceived in this way scanned the QR code, landed on a fake website with the bank’s design and entered their login details for online banking. Entering the full bank login resulted in massive financial losses for customers – and banks usually refuse to accept liability for any losses caused since their security mechanisms were in working order. Through manipulation by the criminals, the victims were diverted to non-bank sites.

QR code fraud is a real threat to which both individuals and companies are exposed. If you follow these precautions and keep yourself regularly informed about new scams, you can reduce the risk of falling prey to quishing.