Watch QR codes: Beware of quishing attacks

What is a QR code?

QR code is a type of two-dimensional matrix barcode, developed in Japan. It can store up to 4296 alphanumeric characters and can be scanned in any direction facilitating the payment. In India, QR has rapidly increased in popularity, especially after demonetisation and also during the COVID pandemic when transactions shifted to contactless payments. Small businesses like vegetable vendors are also using QR codes for payments. QR codes have become popular due to their ease of use, low cost, and quick transaction time.

Consumers love QR code payment as they can pay with their smartphones instead of carrying cash or credit cards. We also have QR codes to give quick access to menus, coupons, or websites.

Of late, the use of QR codes to steal money and personal information is on the rise in India, called QR code Phishing or ‘Quishing’. Quishing is a rising scam in the digital world, especially in countries like USA, India, etc.

What is Quishing?

In quishing, the scammer creates a QR code, when the victim scans, it redirects the user to the scamming website imitating the genuine website. The website asks the user to enter their personal information or account details. When the user enters, the information is sent to the scammer, who can use it to steal money or commit identity theft.

The QR codes may prompt the victim to enter their UPI PIN to send money. When the user enters the PIN, the scammer will receive it and steal money from the victim’s bank account. QR codes also may include malicious files, which are downloaded after a QR scan and affect the victim’s phone and all the personal details on the phone.

Some QR codes might also be used to gain control over social media accounts and enable scammers to do unauthorized activities like sending emails and messages.

How to be careful around QR codes?

To avoid falling prey to a quishing scam, vigilance is important. Before scanning a QR code, check if it is legitimate. When they lead us to a website or a download link, check whether the URLs are legitimate and secure. HTTPS in the website URL tells us that the website is secure. The URL also tells us if the website belongs to the service or business that we intend to visit or do the transaction. Fraud websites have spelling errors and hyphens in the name.

Visit only authentic websites:

We need to check the authenticity of the website by reading the ‘about us’ page and reading about the business and who is involved in the creation of the website. Checking the legitimacy of the website is extremely important as the scammers are experts in copying websites and making them look genuine. By carefully observing the page layouts and URLs, we can distinguish fake websites from genuine ones.

Don’t trust third-party scanners:

Utilise your device's built-in QR scanner to avoid potential risks associated with third-party apps or online scanners.

Enable multi-factor authentication on your online accounts:

If you are tricked into visiting a fraudulent website and you do disclose your password, cybercriminals will still not be able to use that information. The reason is that they do not have access to your other authentication tools (such as the Google Authenticator app). Hopefully, you never find yourself in this position, however.

Think and respond:

A sudden or unprompted request for personal information is most likely a sign of a quishing attack. These scams also tap into emotion to elicit a fast response, so consider whether the message expresses a sense of fear, curiosity, or greed.

Also, note that genuine codes generally direct to a website for information rather than requesting personal data up front and a reputable site won’t ask for unnecessary access. Despite all these new threats, these attacks can be easily avoided by being vigilant and using common sense.