QRishing is a form of phishing attack in which hackers exploit QR codes to steal personal information, install malware on a device, or direct a person to an unsafe website.
So how do these attacks work? How can you avoid becoming a victim of a QRishing attack?
What is QRishing?
QRishing exploits the tendency of phone users to scan QR codes out of curiosity, boredom or necessity.
For example, an attacker might leave flyers at a bus stop or on a table at a restaurant or cafe. When a person scans a QR code with their phone, thinking it’s an ad or a menu, it displays a URL, image, or map with directions to a location, among other things.
From now on, scammers rely on Social Engineering to trick victims into sharing sensitive information. Hackers can also exploit vulnerabilities such as WebKit bugs in browsers to take over victims’ devices.
How does QRishing work?
Of course, not everyone scans random QR codes without incentives or captions explaining what they can expect. Therefore, cyber criminals often find another way to attract people’s interest.
Change popular or trusted QR codes
Cyber criminals can obtain a flyer from a popular financial institution or government agency. Next, they change the QR code but keep the other details or design and share the flyer online. They can also post these QR codes in public places where people can see and scan the QR codes. This particular trick was widely reported after the 2022 Super Bowl Coinbase QR code ad went viral.
Stick fake flyers with QR codes
Here, cybercriminals can create fake flyers with generated QR codes that direct those who scan them to a website where attackers can steal their data. Even if this attempt fails, the attacker can still collect location and device data from the victim’s browser. Worse yet, a determined attacker could use browser fingerprinting to track victims online.
Embed QR codes in phishing emails
This form of QRishing is often part of common email phishing methods. Unlike shortened hyperlinks, hovering over a QR code doesn’t display the destination URL, so it’s easy for scammers to trick potential victims into scanning the QR code for a chance to win a gift card, for example.
How to avoid QRishing?
Scanning and reading QR codes mainly requires two things: A camera and a browser to track the information in the QR code. Since the mechanics are so simple, that means it’s also easy to avoid falling victim to these scams. As follows:
Block camera access on your phone
Most people have their phone cameras ready to capture important moments or make video calls. This is understandable. But having an always-on camera can also make it easy to scan QR codes without thinking twice.
Consider deactivating your iPhone camera when it is not in use. A quick way to do that is to swipe down from the notification area and block camera access. Alternatively, navigate to Settings > Apps > Permissions. You can then turn off the camera or set it up to request permission every time you want to use the app. The process is similar for Android users.
Of course, everything will be a bit inconvenient, especially if you use the camera a lot. However, sometimes the inconvenience of turning the camera off and on is worth the trade-off for increased security against QRishing and third-party apps accessing your camera.
Always update software
Hackers can exploit software vulnerabilities in apps or phone operating systems without your knowledge. For example, hackers can exploit a WebKit security vulnerability in the browser to hack your phone, tablet, or even smartwatch. Consider setting your device to automatically update apps and install security updates as soon as they become available.
Avoid sharing sensitive information online
Scanning a QR code can take you to a website or online form where you will be asked to provide information such as bio-data, email address, account password or card details for your chance to win. win some fictional prize.
As a general rule, avoid sharing any personal data online. Besides the risk of your account being hacked or having your money stolen, cybercriminals can also use the details you’ve shared to steal your identity.
Think before scanning
You don’t need to scan every QR code displayed. Be suspicious and avoid scanning anything unnecessary. In most cases, you can test a company’s website or menu by searching online first.
QRishing is less common than other types of phishing because the attacker will need to invest some effort into distributing the malicious QR code. However, the fact that this form of fraud is relatively new and not many people know about it, means that people can easily fall for it. Cybercriminals who carry out these attacks can gain a lot of valuable information and have nothing to lose.
