Back to Kora Blog
In
Merchant Security Awareness

Quishing (QR phishing) explained: Think before you scan

July 24, 2024
July 24, 2024
7 minute read
Antonella Akosa
Antonella Akosa
Cybersecurity and Risk Governance

Table of contents

Editor's note:

Have you ever used your smartphone to scan a pattern of black and white squares so you could check into a venue or place an order at a restaurant? 

These patterns are QR (Quick Response) codes, which are two-dimensional barcodes that store information. 

Scanning a QR code with your smartphone camera can direct you to websites, trigger downloads, view details of an event, and much more, making them very convenient and efficient. 

As with any new technology, criminals are always quick to find loopholes to exploit. Since people use QR codes to store information, scammers manipulate them to hide fake websites and malware. This social engineering technique is known as Quishing or QR phishing. 

In this post, you’ll learn how they work and how to avoid them.

What is quishing?

Quishing is a type of phishing attack that tricks users into scanning malicious QR codes, leading them to reveal personal information or install harmful applications.

Like traditional phishing or vishing attacks, quishing can be very effective because QR codes are often associated with convenience in restaurants, online stores and supermarkets. This makes it easier for criminals to catch you off guard and exploit you.

How does quishing work?

In a typical quishing scenario, you scan a QR code printed on a flyer or sent via an email, and it typically redirects you to a fake website that looks authentic. This website might clone a trusted brand, your bank, or any service you regularly use. The fake site then prompts you to enter sensitive information, such as your login credentials, credit card numbers, or personal details. Once you enter your information, the scammer immediately captures it. They then use this data for identity theft, financial fraud or sell it on the dark web. 

Another scenario is when you scan a malicious QR code, and the code then redirects you to a site that asks you to download an app to view a menu or get a gift, but the app installs malware on your phone instead. 

The malware transmits your personal and sensitive information from your phone to the hacker without realising it compromising your digital security and data.

How to detect and protect yourself against quishing

There are various red flags to look for before scanning a physical and digital QR code anywhere. 

Here are they;

1. Verify QR codes from unfamiliar sources

If a QR code comes from an unfamiliar source or appears where you wouldn’t expect it, be cautious and only scan QR codes from trusted sources. Scammers often place malicious codes in random public places to lure unsuspecting victims. If you see a code on a flyer, poster, or parking ticket, verify its legitimacy by checking with the issuing organisation before scanning it.

2. Avoid offers that are too good to be true

Be careful of QR codes that promise amazing deals or require immediate action. Remember, if it is too good to be true, it probably is.

Scammers often use these tactics to create a sense of urgency and lure you into scanning the code without thinking.

3. Inspect for tampered codes

Inspect the QR code for signs of tampering. Scammers may cover legitimate QR codes with malicious ones. If the code looks like it’s been altered or has a sticker placed over it, be cautious.

4. Check the URL

After scanning a QR code, carefully examine the URL before clicking the link. Look for signs of phishing, such as unusual or misspelt domain names, and avoid entering personal information on unfamiliar sites. If something feels off, it’s better to manually type the URL of the known site instead of following the link.

5. Use security-enhanced QR scanners

Some QR scanner apps like Trend Micro QR Scanner come with built-in security features that detect malicious codes. These apps can alert you if the scanned code is trying to redirect you to a suspicious site or prompt a dangerous download.

6. Avoid strange QR codes placed in unusual public spaces:

Consider the context and placement of the QR code. 

Think twice before scanning a QR code in an unusual or unexpected location, such as a random flyer in a strange spot or an unsolicited email. Also, be cautious of QR codes in public places that can be easily tampered with and always stick to codes provided by official entities or well-known businesses.

7. Avoid entering sensitive information

Be wary of QR codes that ask for sensitive information like login credentials, passwords, payment details, or personal identification. Legitimate businesses typically won’t request such information via QR codes.

8. Always keep your devices updated:

Ensure that your device’s operating system, browser, and security software are up to date. Updates often include security patches that protect against the latest threats.

By being vigilant and recognising the red flags, you can protect yourself from quishing attacks and enjoy the convenience of QR codes without falling for scams.

Always think twice before scanning a QR code.

---

At Kora, our goal is to connect Africa to the world and connect the world to Africa via payments. For startups and businesses working in Africa, we provide All The Support You Need ™️ to start, scale and thrive on the continent.

Sign up to see all the ways you can thrive with Kora.