QR codes are prevalent in our everyday lives, offering a simple way to access websites, make payments, and share information. However, as their popularity has risen, cybercriminals have taken the opportunity to exploit them. In an attack now coined as ‘quishing’, fake QR codes are being used commit fraud.
In this guide, we’ll explore what quishing is, how common these attacks are, real-world examples and what you can do to protect yourself and your business.
What is quishing?
Quishing is term that describes when cybercriminals corrupt legitimate QR codes or replace them with fake ones embedded with malicious links. When someone scans the QR code, it may take them to a harmful website, download malware onto their device, or prompt them to input sensitive information such as payment details.
How prevalent is quishing?
Consider the number of times you come into contact with a QR code. They’re used to view menus in restaurants, pay for parking, initiate returns in stores, and are even used on billboards. Many businesses feature them on business cards and exhibition stands to quickly lead people to a webpage.
According to Action Fraud, there were 1,386 reports of quishing in a recent year, a significant increase from just 100 reports in 2019. Katherine Hart, lead officer at the Chartered Trading Standards Institute, has warned that quishing attacks are likely “significantly under-reported,” suggesting that the real scale of the problem could be even larger.[1]
Real-world examples of quishing
There have been several high-profile cases of quishing attacks in recent years.
One example involved a woman who lost £13,000 after scanning a QR code at a train station in Stockton-on-Tees. After scanning the code, cybercriminals managed to make a series of fraudulent payments using her credit card and even took out a £7,500 loan in her name within minutes.[2]
The RAC recommends never using QR codes found on parking meters to pay for parking. Instead, it’s safer to use cash, card, or manually search and download the official parking app via your app store.
With parking meter quishing scams, victims not only suffer the financial fallout of a scam, but also risk receiving a parking fine as payment wasn’t made to the car park.
Protecting yourself from quishing attacks
While quishing is a growing threat, there are some simple precautions you can take to protect yourself:
- Prioritise safety over convenience
If in doubt, avoid scanning a QR code. Is there another way to access the information? This may be the safer option.
- Check for the padlock icon
When visiting a website linked from a QR code, check for the padlock icon in the address bar. This indicates a secure connection. However, be cautious – just because a website has this icon doesn’t mean that it’s trustworthy.
- Properly train your staff
It’s crucial that you and your staff are aware of the latest cyber threats. Ensure to provide regular cybersecurity training to reduce the risk of human error.
Is your business prepared for cybercrime?
As cybercrime continues to evolve, your business may find that it’s underinsured when it comes to cyberthreat. Traditional insurance may not cover the costs of a cyberattack, which is why it’s important to consider standalone cyber insurance. Get in touch to find out more.
Consistent with our policy when giving general advice, this article does not constitute legal or professional advice. For specific concerns, we recommend seeking guidance from a qualified professional.
Sources
[1] https://www.bbc.co.uk/news/articles/cq6yznmv3gzo
[2] Thornaby: Woman targeted in £13k railway station QR code scam – BBC News