Scanning QR codes have become a regular part of our modern life. They can be found all over the place, including on menus at restaurants, in our favorite TV shows, and attached to advertisements. Scanning a QR code is easy to do and often results in visiting a website to learn more or downloading an app.
But not all QR codes are designed to be helpful. Rogue QR codes can sometimes replace legitimate codes with the goal of stealing your personal information or account login information. By filling out the wrong form, you could compromise your bank accounts or other personally identifiable information, putting you at risk of identity theft or financial fraud.
This practice is called “Quishing,” and can affect you quickly and without warning. In this article, we’ll explain the practice of “Quishing,” and what to watch for to prevent becoming a victim.
How does “Quishing” Work?
The term “Quishing” is short for “QR Code Phishing.” Like traditional phishing scams, the goal of a “Quishing” scam is to direct you to a fraudulent link using a QR code. According to the U.S. Postal Inspection Service: “Scammers post physical images of QR codes in a high traffic location or send them via email or text message. Once you scan the QR code, it takes you to a scammer’s website, which may look like legitimate, where the scammer lures you into providing personal or financial information.”
Like a phishing attack, “Quishing” codes and websites attempt to bait you into action on a sense of urgency. The code will lead to a fraudulent website which could threaten consequences unless you login to an account or do what the page says. In many cases, “Quishing” sites will emulate government agency websites, bank login pages or company information to try and look legitimate.
Some of the personally identifiable information scammers may be looking for through “Quishing” includes online account usernames and passwords, Social Security numbers, names, addresses, phone numbers, dates of birth, credit card numbers, debit card numbers and PINs. Any combination of this information can be used to steal money from your accounts or commit financial fraud.
How to Identify and Stop “Quishing”
The first step to prevent “Quishing” is to be careful about which QR codes you scan. Find out more information about who published the QR code and where it is printed. If the QR code came from an unrecognized email or published on a flyer or poster or appears to be stuck on after the item was printed, be careful about following it to the link.
After scanning the code, always ask why someone is asking for your personally identifiable information and what they plan on doing with it. Some of the telltale signs of a QR code scam includes invoking a sense of urgency, telling you to act immediately or face consequences, or pages that don’t match the design of the agency they purport to represent. Bad grammar and poor design can also be telltale signs of a “Quishing” scam.
If you feel like you are being “Quished,” close out of the webpage immediately. You should also report the incident to the bank, government agency, or company the QR code link was trying to portray. You can also report the issue to the Federal Trade Commission at reportfraud.ftc.gov.
Avoiding scams starts with being smart with technology. By understanding what “Quishing” is and the signs of a scam, you can reduce your risk of losses and keep yourself safe online.