Quishing – the QR code that sends you to download bad stuff
Let’s go back to what is a QR code from digital.gov?
QR codes (or Quick Response codes) are two-dimensional codes that you can scan with a smartphone. The code contains information, usually a site address, and once you scan it, the code connects you with a resource on the web.
So this is the problem since we depend on the Benevolence of the person creating the QR code. You can see where I am going with this…
The hacker criminal can easily create a QR code to attempt to send you where they want you to go (some hacker website which will do something to your computer/phone). Or try to take something from you (your username/password) or other details.
So what can be done? I know number 1 sort of defeats the purpose of a QR code, but this is the problem — new technologies can be used against us!!
1. Switch to Manual: If a QR code might be malicious(maybe your spidey sense is up?), you should manually enter the website URL instead of scanning the code. This ensures that you are visiting the intended site directly! 2. Suspicious signs: Unusual requests from the QR code should give you red flags, such as asking for personal details or login credentials. If request seems out of place, best to avoid scanning. Or after scanning and it does not look right leave right away!! 3. Use anti-virus on your phone. *****To scan a QR code it is best to just use your standard QR reader that come with phone. Most phones these days can read QR codes in the picture taken or within their basic function. Using other apps(like QR helper apps) to scan QR codes make using the apps difficult sometimes (with ads). You don't want to be looking at ads or other problems in another app. A quishing attack, is where a user scans a QR code, assuming a trusted source, and is redirected to a malicious website or prompt to download malware so as to steal data. The attacker’s goal is to trick the user into divulging personal information like credit card or login details. Just like all social engineering scams (phishing(email), smishing(text), and now quishing (fake qr code) Be careful which QR code to scan and click on the link. I.e. you scan a QR code for your water company, thus the link that pops up in your phone should be your water company website. Not a fake abcwaterco-company.co/usa link for example(not a real link). Here the .co in the domain name is actually a country code of Colombia. check out the Government of Colombia site: https://www.gov.co/ These are just examples - which a version of should be placed into your security policy. Contact me to discuss. Also keep an eye on my store as I will add helpful aids in the future(like security policy templates).