Avoid quishing

A close cousin to phishing, quishing is a new cyber security threat that uses QR codes to scam victims.

No, it’s not a new toy craze. Despite its cute name, quishing is in fact a serious new threat to cyber security. A combination of the words ‘QR code’ and ‘phishing,’ it leverages QR codes to lure victims into being scammed. Scammers may try to steal passwords or other personal data or infect your device with malware.

The QR code can be distributed by email, social media, or even physical print outs (eg. fake parking tickets, special offers, fake payment methods). They can sometimes bypass existing spam filters because the systems register QR codes as benign images.

How to identify a quishing email

Fortunately, quishing emails bear all the same hallmarks as regular phishing emails and can be identified by their:

  • urgent or threatening tone
  • poor spelling or grammar
  • incorrect branding or email address
  • generic greeting (eg. Dear user)
  • unfamiliar sender
  • provoke feelings of being ‘not quite right’.

Read more about the types of scams and how to recognise them.

What happens if you get ‘quished’?

The consequences of scanning a malicious QR code are the same as clicking a malicious link:

  • You might be redirected to a phishing website.
  • Your device might be infected with malware.
  • You might be asked to enter login data for an online account, which attackers then use to steal your information.

How to stay safe from quishing

Here are five things you can do to avoid the dangers of QR code phishing:

  1. Become as vigilant against QR codes as malicious links and never scan a QR code in an email from an unfamiliar sender.
  2. Familiarise yourself with the signs of a phishing email.
  3. When you scan a QR code on your phone, examine the URL preview carefully. Don’t click on any unfamiliar or shortened links, and look for slight misspellings in familiar names.
  4. If the QR code takes you to a page that asks for your login credentials, don’t enter them. If you think the request is legitimate, go to the company’s website directly or contact them by phone.
  5. Maintain good cyber practices and set strong passphrases instead of passwords, enable multi-factor authentication anywhere it’s available, and make sure your devices are up-to-date.

October is Cyber Awareness Month

Join a webinar on cyber basics featuring Director Vic/Tas Australian Signals Directorate, Daniel Storey.

Details: Monday 30 October, 11am AEDT

Register to attend

You can also join the Cyber Security Workplace group to stay updated on the latest in cyber security news at ACU.

The following slideshow controls change the content above and below. Information is displayed below the controls while video content plays above the video controls.

Service Central

Visit Service Central to access Corporate Services.

Other service contacts

Learning and Teaching
Request Something

Make a request for services provided by Corporate Services.

Request something
Knowledge base

Find answers to frequently asked questions 24/7.

See Knowledge Base