Avoid quishing

A close cousin to phishing, quishing is a new cyber security threat that uses QR codes to scam victims.

No, it’s not a new toy craze. Despite its cute name, quishing is in fact a serious new threat to cyber security. A combination of the words ‘QR code’ and ‘phishing,’ it leverages QR codes to lure victims into being scammed. Scammers may try to steal passwords or other personal data or infect your device with malware.

The QR code can be distributed by email, social media, or even physical print outs (eg. fake parking tickets, special offers, fake payment methods). They can sometimes bypass existing spam filters because the systems register QR codes as benign images.

How to identify a quishing email

Fortunately, quishing emails bear all the same hallmarks as regular phishing emails and can be identified by their:

• urgent or threatening tone
• poor spelling or grammar
• incorrect branding or email address
• generic greeting (eg. Dear user)
• unfamiliar sender
• provoke feelings of being ‘not quite right’.

Read more about the types of scams and how to recognise them.

What happens if you get ‘quished’?

The consequences of scanning a malicious QR code are the same as clicking a malicious link:

• You might be redirected to a phishing website.
• Your device might be infected with malware.
• You might be asked to enter login data for an online account, which attackers then use to steal your information.

How to stay safe from quishing

Here are five things you can do to avoid the dangers of QR code phishing:

1. Become as vigilant against QR codes as malicious links and never scan a QR code in an email from an unfamiliar sender.
2. Familiarise yourself with the signs of a phishing email.
3. When you scan a QR code on your phone, examine the URL preview carefully. Don’t click on any unfamiliar or shortened links, and look for slight misspellings in familiar names.
4. If the QR code takes you to a page that asks for your login credentials, don’t enter them. If you think the request is legitimate, go to the company’s website directly or contact them by phone.
5. Maintain good cyber practices and set strong passphrases instead of passwords, enable multi-factor authentication anywhere it’s available, and make sure your devices are up-to-date.

October is Cyber Awareness Month

Join a webinar on cyber basics featuring Director Vic/Tas Australian Signals Directorate, Daniel Storey.

Details: Monday 30 October, 11am AEDT

Register to attend

You can also join the Cyber Security Workplace group to stay updated on the latest in cyber security news at ACU.