QR phishing: How worried should you be?

Cybercriminal methods of attack are continuously changing as they seek potential weak points in security. One emerging – or, perhaps, possibly emerging – method of cyberattack is QR code phishing or “qishing”. This technique uses the ubiquitous QR code to trick users into exposing sensitive information or accessing malicious sites. This article covers the workings of QR phishing, and strategies to combat it.

We do, however, want to make clear that there is currently little evidence that QR-based phishing has reached problematic levels. While incidents of supposed QR phishing have been reported in the press, the specific details of the incidents are very woolly and the affected individuals concerned may well have been scammed in other, more traditional ways. Similarly, some incidents may be attributable to threat actors testing the waters rather than being serious campaigns. That said, as it is at least a theoretical risk, it’s worth looking at.

QR phishing: A new frontier in cybercrime?

QR codes have become a staple in everyday life, offering a quick and convenient way to access websites, information, and services. However, this convenience also potentially opens up a new avenue for cybercriminals.

QR phishing involves embedding malicious links within QR codes, directing unsuspecting users to phishing sites designed to steal either their logins or their money. The malicious QR codes can then either be emailed or printed and used to cover existing QR codes displayed in public places. However, whether this is actually happening – or, if it is, how often – is unclear.

A rise in QR phishing incidents?

Recent trends have indicated a possible rise in QR phishing incidents. For example, a report from Cofense outlined a campaign targeting a major U.S. energy company. However, whether the uptick is a sign of things to come or simply a case of bad actors testing the viability of QR phishing is unclear.

In another incident recently reported on by the BBC, a woman in the UK supposedly lost £13,000 in a railway station QR code scam. Cybercriminals supposedly replaced one of more QR codes displayed in the station’s parking lot with one that “sent her to a fake website allowing them to redirect payments and card information, resulting in the victim, 71, losing thousands of pounds.” However, it’s worth noting that a representative of the company that operates the lot stated, “We acted quickly and thoroughly inspected all our car-park signs. No evidence of fraudulent stickers was found and we had not received any reports in our customer relations system or social media contact.” So was this even a case of QR phishing? Replacing QR codes in an area that is very likely under surveillance seems to be very risky – certainly far more risky than traditional email phishing. Why would somebody take that extra risk?

The BBC say this incident “is one of about 1,200 QR scams investigated by the UK’s national fraud reporting centre in just over three years.”

What should you do?

In business environments, the risk of QR codes is easily mitigated: instruct employees to never scan them. We can think of no valid reason why a QR code would ever be emailed.

But should you scan a QR code that you encounter in a public space such as a parking lot, especially if you’ll be entering financial information? We really can’t answer that. The risk of the code having been tampered with is exceptionally small but there is some risk. If you do decide to scan, be sure to check the URL and make sure the website appears to be legitimate. If in any doubt, ask an employee for advice or look up the URL of the site you need to visit and access it that way.

Emsisoft solutions

Emsisoft offers robust cybersecurity solutions that are crucial in the fight against phishing of all types. Our advanced anti-phishing technology is designed to block access to phishing sites, malware-delivery platforms, and malware itself. Read more about our easy-to-use multi-layered security solutions for homes and businesses.

We also offer a no-cost browser extension that blocks access to malicious websites. It works with Chrome and Chromium-based browser like Microsoft Edge and Brave, as well as Firefox. You can find out more here.