Take your phone, scan the QR, and pay, it’s that simple, right? In India, almost every person has UPI and every vendor has a QR code that can be used to conveniently pay for goods and services sold. However, if only that was the only use case. Recent reports suggest scammers have formulated ‘QR Phishing’ attacks or ‘Quishing’ that deal with scanning QR to steal sensitive data, inject trojan or malware, or empty one’s bank accounts with a tiny-looking QR code.
Unfortunately, not many people know about this virtual QR-related scam which means, bad actors can easily weaponize QR codes without the person knowing they have been attacked. In this article, we have explained what quishing is, how it is related to phishing attacks, and how you can avoid getting trapped which could potentially cost you your life savings or more.
What is Phishing?
Phishing is a type of social engineering attack where the attackers create seemingly similar websites and portals that are much like their original counterparts. This attack works by deceiving people into entering their login credentials, and debit/credit card details, or installing malicious software to name a few.
For instance, if you search any XYX bank’s website on Google, you might end up on a phishing website which is a direct doppelganger to the bank’s original website prompting users to enter their sensitive information only to fall into a mysterious trap where their privacy, security, bank balance, or other assets could be at risk.
Phishing isn’t anything new. However, quishing is relatively new as it is based on QR codes that have been extensively popular in India and other countries. Let’s dig deeper into what’s quishing.
Wake out to any grocery or a mall and you will find small checkered QR codes that will do anything from direct to a website, opening a menu, leading to a payment gateway with the receiver’s details already filled in and beyond. We often don’t second-guess before performing any QR code-related actions, just us paying for goods or services, however, that’s dangerous.
Attackers tap this vulnerability by creating fake QR codes that can be stationed on a website, via email, or a phishing website or it could be physical QR codes stationed outside cafes, offices, buildings, etc. Pamphlets, newspapers, social media photos, physical ads, food packaging, and almost any virtual or physical front can be used to post phishing QR codes awaiting their next potential victim.
Once you scan these QR codes, you will end up losing critical login credentials or user information or it could take you to a spoofed website such as your bank’s or Amazon’s, or install malware without your knowledge. Unfortunately, detecting these quishing attacks has become difficult as attackers evolve their strategies to target innocent users.
Moreover, it is challenging because these QR codes are usually scanned on a different device. You could get a phishing QR code on your PC and you will end up scanning it from your phone which makes this attack violently effective.
How To Detect A Quishing Attack?
Attackers use various social engineering methods to mass their quishing attacks and make them less recognizable. However, there are certain tell-tale signs one could look out for to detect a quishing attack.
Common signs: Look for misspellings, grammatical errors, phishing websites that may look the same but with tiny differences in URL, logo, and font used, lookalike email addresses, etc. Note that these typos may not be because of incompetent writing but rather to mimic a copyright name, logo, or assets while keeping a similar look and feel.
Text attributes: Most of the time, quishing emails carry emotional manipulation tactics to create a sense of urgency to get a higher success rate. One can easily identify such attacks using AI. Attackers might create a phishing website of your bank asking you to provide certain information and threaten that the account will be closed or services will be stopped.
Hover, don’t click: What would you do if I sent you a hyperlink saying “Check out Prices for the OnePlus 12”? You would assume this would take you either to a dedicated page on SmartPrix, the OnePlus website, or an ecommerce platform where it is available, right? Well, attackers can use these types of hyperlinks to take you to a phishing website. Thus, it is better to always hover on a hyperlink, and check if the URL seems legit.
Too good to be true: There’s a popular saying, if something is too good to be true, chances are, it is. Thus, if the offer or the statements used around phishing attempts appear too good, it is better to back off and let it go.
How To Avoid a Quishing Attack?
You might not be able to recover lost money to quishing even if the accused is caught. Thus, it is better to be cautious beforehand. These are some pointers that you must keep in mind.
- Avoid scanning QR codes posted on random and unfamiliar places such as a random social media post asking you to scan.
- If the offer is too good to be true, steer away.
- Always ensure that your website has https since phishing websites may look similar to an original website but without an https tag in the URL.
- If you spot any errors, misspellings, slightly off logo or text, or anything that an actual brand might not do, it could be a phishing attempt on you.
- Refrain from entering your PIN or providing any sensitive information on random places, websites, or avenues.
- Check the URL by hovering on the link before clicking away.
- Steer away from attachments in emails from unfamiliar sources.
Phishing or quishing attacks may not be visible in plain sight but some tell-tale signs can help you tell apart such as the ones mentioned above. It is better to be cautious when following any social media account, visiting an unfamiliar website or place, or anywhere whether virtual or physical as it works in your favor big time.