We are in the midst of Black Friday, a period in which we get excited about making more or less compulsive purchases. And in which, inevitably, as online transactions increase, scam attempts increase.
Precisely in these days it is necessary to update the vocabulary of scams linked to new technologies. And it is indeed surprising how every tech landing brings with it the counterpart beyond the law. Oh yes, why quishing has arrived, the scam linked to the increasingly widely used QR codes. Let’s find out what it is.
Dal phishing al quishing
We have all learned what phishing is by now.
It is a scam that occurs online, through which an attacker tries to deceive the victim by convincing him to provide personal information (financial data or access credentials), thanks to communications apparently coming from credible sources. If you are not aware, the consequences of phishing are predictable and very unpleasant.
Phishing occurs via email. If the deception attempt is carried out via SMS, it is called mishing. With the same semantic game, the scam that is conveyed through QR codes has been called quishing (QR+phishing).. But how?
Quishing, scam via QR code
The quishing scam is based on the same principle as phishing: that of capturing the trust of the potential victim through apparently truthful messages.
What is new is the method used, namely scanning QR codes. With an extra problem for the user: the QR code is an image, and as such it is not detected as a threat by antivirus programs. Add to this that simple software is sufficient to create a QR code, and it goes without saying that the links that appear after scanning can be of any type, including those that allow malware to enter the device, and steal a large amount of data.
The spread of quishing
A further peculiarity (and danger) of the quishing scam is that it is a multi-channel scam, so to speak.
Fraudulent QR codes can in fact arrive by email, but can also be found on the street, or on notes that end up in our hands. If you focus on the code with your camera, you enter sites where you are asked to enter credentials or sensitive information.
How to protect yourself
Every new risk must be followed by new precautions.
The quishing scam necessarily leads us to pay the same attention to QR codes that we have until now paid to emails and messages. First of all, only frame codes whose origin we are sure of (it is difficult, for example, to think of a scam by a restaurant that allows you to scan its menu). However, we are wary of codes coming from unknown sites, or messages that contain grammatical errors.
After that, even if the sender of the QR code had given us maximum trust, we avoid providing our sensitive data or credit card credentials.
The Check Point Software report
Recent research by Harmony Email, from the Check Point Software team, dealt with the quishing scam.
And the results are chilling: scams involving malicious QR code scanning increased by 587%.
Harmony mail has identified an exponential growth in quishing in the months of August to September 2023. And the technique is particularly sneaky: the QR code appears in the body of the fraudulent email, as a two-factor authentication step. Therefore, paradoxically, leveraging the presumed absolute safety of the message.
What are QR codes and how do they work?
QR Code stands for Quick Response Code.
It is an image represented by a square that contains a series of black modules on a white background that contain specific information. The principle is not too dissimilar to that of barcodes.
In the months of the pandemic, QR codes had their first major diffusion, for obvious health reasons, and their use is constantly growing. To take one example, in 2022, 89 million people in the United States used a QR code at least once, a 26% increase compared to 2020.
Is exactly their widespread use, and the fact that we are not yet accustomed to perceiving them as potential threats, make us lower our guard. As Jeremy Fuchs, security researcher and analyst at Check Point Software, explains: “The image can hide a malicious link, and if the original image is not scanned and analyzed, it will simply appear as a normal image. And since end users are used to scanning QR codes, receiving one via email isn’t necessarily a cause for concern.”