We’ve talked about phishing, smishing, and now…quishing! Quishing—another name for QR code scams—is a way that fraudsters utilize Quick Response (QR) codes to hack into your device or redirect you to a malicious website.
While QR codes remained commonplace since the rise of smartphones, the 2020 pandemic saw a massive uptick in use. In an effort to minimize contact, you would use QR codes to order food, view menus, upload vaccinations, contact trace, and more. Though times have (somewhat) returned to normal, QR codes remain a fixture in streamlining business operations and transactions.
While QR codes can appear anywhere, there are a few classic methods that fraudsters like to use:
Fraudsters can place a look-alike QR code on top of a restaurant’s legitimate code. Their QR code will redirect you to a site that may look like a menu, but will steal your payment information!
Many parking meters can be paid for using a third party app these days. The company may put a QR code on the meter to redirect you to the app store or their website to pay. Similar to the restaurant menus, fraudsters will cover up legitimate codes with fake ones, leading you to their site where they can steal your payment information.
You may also receive phony QR codes via text or email, often with an urgent claim that there is something wrong with a delivery or you need to verify your account information. This is an attempt to hack into your device or learn your account login information.
In this burgeoning scam trend called ‘brushing’, you receive an unsolicited package that has a small gift and a QR code. You are asked to scan the code to find out who sent it and register/activate your ‘gift’. On the spoof website you are sent to, you’ll be asked for financial and account information, usernames/passwords, and other sensitive information.
Before scanning a QR code, take a moment to inspect it. Does the QR code look like it belongs there? You may notice general wear and tear, but also peeling edges or bumps that look like it wasn’t placed correctly. If the QR code is a sticker, you can also try looking underneath to see if it is covering up another QR code
When you first scan a QR code with your camera, most smart devices will give you a preview of the link destination. Make sure that the address is spelled correctly and looks legitimate. More importantly, ensure it is the website you were expecting!
Like with most scams we warn about, a telltale sign that a fraudster is contacting you is a tone of urgency, whether by fear (purported suspicious activity on your account) or excitement (claim your ‘prize’ now!). It is best not to use unsolicited QR codes; if you think the message is legitimate, reach out to the company or access your accounts through known, verified channels.
Remember to keep your account and device safe to help protect you from scams! Regularly update your device operating systems to keep security measures current. For sensitive accounts, enable Multi-Factor Authentication if you can and regularly change your password.
You are about to leave our site. Do you want to continue?
