Quishing

QR codes were once a quirky novelty, a quick way to get more information about a museum exhibit or a product. During the pandemic, they became an essential part of daily life, from restaurant menus to boarding passes. But as QR codes have become ubiquitous, a new threat has emerged: “quishing,” a form of phishing that uses these seemingly harmless symbols to dupe millions of people worldwide.
​

The Rise of a Global Threat

Cybercriminals have turned the QR code into a new weapon. They can easily print fake QR code stickers and place them over legitimate ones on public surfaces like parking meters, train stations, or even utility bills. They rely on the victim being in a hurry, with the urgency of a payment or transaction overriding their caution. When the unsuspecting user scans the fraudulent code, they are redirected to a malicious website designed to steal personal information, download malware, or trick them into making an unauthorized payment.
​
This low-effort, high-return tactic is gaining traction as traditional email phishing campaigns become less effective. A study by the cybersecurity platform KeepNet Labs found that 26% of all malicious links are now sent via QR code. The appeal for criminals is the ease with which the scam operates and the user's inability to verify the destination URL just by looking at the code.

Why We Fall for It

​A significant factor contributing to the success of quishing is user trust. A global study by Malwarebytes found that 70% of iPhone users have scanned a QR code to begin or complete a purchase, compared to 63% of Android users. The researchers suggest that the high trust in their devices may cause some users to let down their guard. The same study found that 55% of iPhone users and 50% of Android users believe their devices can keep them safe from cyber threats, highlighting a pervasive and dangerous overconfidence.

Experts warn that even stylized QR codes with company logos can be easily copied by cybercriminals, creating a false sense of security. Attackers can even use these codes to infiltrate critical networks or distribute remote access Trojans (RATs), a type of malware that allows hackers full access to a device. As a result, quishing isn't just a risk for consumers; it's a threat to corporate and government security.

The Cat-and-Mouse Game of Security

The battle against quishing is an ongoing one. Some institutions, like the Children's Museum of Indianapolis, are fighting back by using stylized QR codes and regularly inspecting them for tampering. At the same time, researchers like Professor Gaurav Sharma at the University of Rochester are working on developing "smart" QR codes with built-in security features.

However, as a cybersecurity professional noted, "QR codes weren’t built with security in mind; they were built to make life easier." This makes them a perfect tool for scammers. As long as attackers can easily compromise legitimate documents and public surfaces by simply pasting a fake QR code over a genuine one, the onus remains on the user. The best defense is to exercise caution: avoid scanning unwanted or unexpected QR codes, and if you must, always check to see if your phone's camera app displays the full URL before you click on it.

Ep347

Image Source: Licensed by Google