Hackers tend to be extremely careful about the new tools they can use to carry out scams and infect modern systems without leaving a trace. The latest threat exploits QR codes to carry out cyber-attacks worldwide — QRishing, what it is called — a hacking technique that involves the use of QR codes to perform phishing attacks.
What is QRishing
QRishing is a name that is a mix of the terms QR code and phishing. The origin of the name allows us to understand the nature of the threat —hackers create malicious QR codes well hidden inside commonly used products or on discount coupons available online.
Just like phishing, this threat targets users who are not attentive or eager to access advantages, bonuses or sudden discounts. Therefore, the simple rear camera of the smartphone is enough to start a cyber-attack, often hidden behind a well-designed web page.
How the attack is carried out
The attack starts when we scan a simple fake QR code — this is possible using the phone’s camera app.
After scanning, the hidden web link of the code will be shown — clicking on the code will open a page with information on the promised benefit (shopping voucher or discount voucher); before redeeming the voucher, you are asked to enter your card or bank account details.
This is a pure scam, born with the sole purpose of deceiving us — after entering the credentials, you will not receive any vouchers or discounts, while the attacker will have access to your card or account, stealing all your money or transactions on your behalf.
In addition to the discount coupon, malicious QR codes can hide web pages that seem harmless, like a fake site of some famous bank. By opening the page in the browser, the inexperienced user could easily mistake it for the official page, thus providing access to data for intruders.
It is also possible for links hidden behind QR codes to also contain mobile malware, although in most cases, they are just links to pages designed to scam people.
How to defend yourself from QRishing
The greatest caution is to avoid QR codes combined with discounts and promotions, especially if distributed online. Even if these codes are widely used for promotions, it is advisable to use the alphanumerical part of the code (always visible on real vouchers) to be entered only on the official website of the shop or on the website provided by the promotional activity.
- If the URL appears dubious at first glance, you should avoid accessing it directly.
- Check that the website you’re about to visit always adheres to security and secure browsing standards, such as HTTPS.
- Use link analyzers and online antivirus tools like VirusTotal and URLVoid. This way, before you access the web, you can ensure that it is not a social engineering attack like QRishing.
- You can also use apps, such as Kaspersky QR Scanner, available on Android and iOS, which performs a variety of security checks before activating the QR code on the smartphone.
- Do not disclose any private information or passwords to web pages accessible via a QR code. It is more convenient to access bank pages or online stores where you enter your credit card or debit card details using the official URL or through its own application.
What to do in case of an attack
In this case, timing is everything — immediately call the bank and ask for the account to be blocked, the card to be blocked, and any pending money transfer to be blocked to limit the loss.
After saving the account, it is advisable to contact the Police, explain what happened, and provide a copy of the QR code and the link that led to the scam.
QR codes are widely used in marketing online shops and IT chains to provide access to services and discounts. Still, we must pay close attention to the QR codes we scan.