Quishing is the new phishing: Why you need to think before you scan that QR code

Main Image
  • Like
  • Comment
  • Share

Take your phone, scan the QR, and pay, it’s that simple, right? In India, almost every person has UPI and every vendor has a QR code that can be used to conveniently pay for goods and services sold. However, if only that was the only use case. Recent reports suggest scammers have formulated ‘QR Phishing’ attacks or ‘Quishing’ that deal with scanning QR to steal sensitive data, inject trojan or malware, or empty one’s bank accounts with a tiny-looking QR code.

Unfortunately, not many people know about this virtual QR-related scam which means, bad actors can easily weaponize QR codes without the person knowing they have been attacked. In this article, we have explained what quishing is, how it is related to phishing attacks, and how you can avoid getting trapped which could potentially cost you your life savings or more. 

What is Phishing?

Phishing is a type of social engineering attack where the attackers create seemingly similar websites and portals that are much like their original counterparts. This attack works by deceiving people into entering their login credentials, and debit/credit card details, or installing malicious software to name a few. 

For instance, if you search any XYX bank’s website on Google, you might end up on a phishing website which is a direct doppelganger to the bank’s original website prompting users to enter their sensitive information only to fall into a mysterious trap where their privacy, security, bank balance, or other assets could be at risk.

Phishing isn’t anything new. However, quishing is relatively new as it is based on QR codes that have been extensively popular in India and other countries. Let’s dig deeper into what’s quishing.

What’s Quishing?

QR Code

Wake out to any grocery or a mall and you will find small checkered QR codes that will do anything from direct to a website, opening a menu, leading to a payment gateway with the receiver’s details already filled in and beyond. We often don’t second-guess before performing any QR code-related actions, just us paying for goods or services, however, that’s dangerous.

Attackers tap this vulnerability by creating fake QR codes that can be stationed on a website, via email, or a phishing website or it could be physical QR codes stationed outside cafes, offices, buildings, etc. Pamphlets, newspapers, social media photos, physical ads, food packaging, and almost any virtual or physical front can be used to post phishing QR codes awaiting their next potential victim. 

Once you scan these QR codes, you will end up losing critical login credentials or user information or it could take you to a spoofed website such as your bank’s or Amazon’s, or install malware without your knowledge. Unfortunately, detecting these quishing attacks has become difficult as attackers evolve their strategies to target innocent users.

Moreover, it is challenging because these QR codes are usually scanned on a different device. You could get a phishing QR code on your PC and you will end up scanning it from your phone which makes this attack violently effective.

How To Detect A Quishing Attack?

Attackers use various social engineering methods to mass their quishing attacks and make them less recognizable. However, there are certain tell-tale signs one could look out for to detect a quishing attack. 

Common signs: Look for misspellings, grammatical errors, phishing websites that may look the same but with tiny differences in URL, logo, and font used, lookalike email addresses, etc. Note that these typos may not be because of incompetent writing but rather to mimic a copyright name, logo, or assets while keeping a similar look and feel.

Text attributes: Most of the time, quishing emails carry emotional manipulation tactics to create a sense of urgency to get a higher success rate. One can easily identify such attacks using AI. Attackers might create a phishing website of your bank asking you to provide certain information and threaten that the account will be closed or services will be stopped. 

Hover, don’t click: What would you do if I sent you a hyperlink saying “Check out Prices for the OnePlus 12”? You would assume this would take you either to a dedicated page on SmartPrix, the OnePlus website, or an ecommerce platform where it is available, right? Well, attackers can use these types of hyperlinks to take you to a phishing website. Thus, it is better to always hover on a hyperlink, and check if the URL seems legit. 

Too good to be true: There’s a popular saying, if something is too good to be true, chances are, it is. Thus, if the offer or the statements used around phishing attempts appear too good, it is better to back off and let it go.

How To Avoid a Quishing Attack?

How To Detect A Quishing Attack?

You might not be able to recover lost money to quishing even if the accused is caught. Thus, it is better to be cautious beforehand. These are some pointers that you must keep in mind.

  • Avoid scanning QR codes posted on random and unfamiliar places such as a random social media post asking you to scan.
  • If the offer is too good to be true, steer away.
  • Always ensure that your website has https since phishing websites may look similar to an original website but without an https tag in the URL.
  • If you spot any errors, misspellings, slightly off logo or text, or anything that an actual brand might not do, it could be a phishing attempt on you.
  • Refrain from entering your PIN or providing any sensitive information on random places, websites, or avenues.
  • Check the URL by hovering on the link before clicking away.
  • Steer away from attachments in emails from unfamiliar sources. 

Wrapping Up!

Phishing or quishing attacks may not be visible in plain sight but some tell-tale signs can help you tell apart such as the ones mentioned above. It is better to be cautious when following any social media account, visiting an unfamiliar website or place, or anywhere whether virtual or physical as it works in your favor big time. 

You can follow Smartprix on Twitter, Facebook, Instagram, and Google News. Visit smartprix.com for the most recent news, reviews, and tech guides.

Related Articles

ImageExclusive: Google Pixel Fold 2 360-Degree Video And 5K Renders Reveal; No More Horizontal Camera Visor

It’s not every day that we see radical new smartphone designs that could change the course of developments. For years, the Google Pixel phones have followed a similar design language, helping the models establish their identity. Leading the front is the horizontal camera visor, which has been around since the Pixel 6 came out in …

ImageWhatsApp brings new web features: Animated stickers, QR codes, dark mode and more

WhatsApp has rolled out some more features that are popular on other similar platforms. The new features include animated stickers, QR codes, dark mode for WhatsApp web, status updates to KaiOS, and group video call improvements. WhatsApp has seen a humungous upsurge in its use since people got locked into their homes due to coronavirus …

ImageXiaomi Mi Pay payment service officially launched in India: Everything you need to know

Muralikrishnan, COO, Xiaomi India officially unveiled the Mi Pay service today in India. The payment service had its homeland launch in 2016 and touched the Indian Subcontinent recently in India through a beta programme. NFC based mobile payment system will be powered by ICICI Bank and PayU. Now with its stable release, let’s see what it …

ImageGoogle’s eSIM Cards by simply scanning QR Code For Android Could Be a GameChanger

If you thought SIM cards were only for phones, think again. The tech world is buzzing with the rise of electronic SIM cards, better known as eSIMs. These digital wizards are breaking free from the confines of phones and making a splash in wearables, IoT gadgets, and even the four-wheeled domain of automobiles. Why all …

ImageWhatsApp adds feature to migrate chats using a QR code

Contrary to the previously available methods, WhatsApp has introduced a hassle-free scan and transfer method to get all your chats from an old device to the new one. Surprisingly, the method uses QR Code. Let’s read more about the new functionality. As of now, you could migrate chats on iOS to Android or Android iOS …


Be the first to leave a comment.