Avoid Falling Victim to QR Code Phishing
QR codes are everywhere. Marketers use them in emails, text messages, brochures, and signs to direct consumers to their websites. They are fast and convenient for consumers, eliminating the need to type the URL in their browser. Unfortunately, hackers also use QR codes in phishing emails to direct recipients to a bogus website. The site may be used to capture sensitive information such as login credentials or financial information. It may also download some type of malware automatically.
QR code phishing, or “quishing”, has many of the same characteristics as traditional phishing attacks. The emails and text messages appear to be from trusted sources. The messages create a sense of urgency, encouraging the recipient to act quickly. They may also appeal to the recipient’s emotions with the promise of a gift or monetary award.
Quishing attacks are especially risky because they can often bypass email filtering and other security controls. The goal is typically financial fraud. The attackers may steal the identities of individuals or dupe organizations into transferring money. If malware is downloaded, the impact can quickly spread throughout the IT environment.
There are several steps you can take to protect yourself and your organization from quishing attacks:
Be wary of QR codes you receive without warning or from senders you don’t recognize. If you are unsure, err on the side of caution and do not scan the QR code.
Confirm the legitimacy of QR codes you receive from organizations you trust. Contact the company to ensure that the QR code is genuine.
Look for the hallmarks of a phishing attack. If the sender urges you to act immediately, that is a telltale sign.
Hover over the QR code to see what web address it is sending you to. If it is not what you expect, do not scan the QR code.
Inspect the QR codes on brochures and signage to see if they have been tampered with.
Never enter personal or financial information into a website accessed by scanning a QR code.