It is common knowledge that phishing is a danger on the Internet. With the development of new technical options, the methods of phishing have changed over the years. In relatively general terms, it can be said that existing technical options have always been and are still being used for fraud attempts. In the meantime, this also concerns QR codes, which have experienced a certain spread in everyday life. With them, the scam of quishing has emerged. But what exactly is quishing, how does it work and how can we protect ourselves from it?
From phishing to quishing
Quishing is the further development of phishing, which no longer works with simple links, but with QR codes. Phishing is the attempt to impersonate another, trustworthy person via mails, fake websites or short messages in order to gain access to data that is actually protected. In practice, this means e-mails that pretend to be bank e-mails, redirect to a fake bank page and ask for online banking data. Or the link leads to a page that starts an automatic malware download. Anyone who falls for this usually loses a lot of money as a result. Sometimes phishing also involves additional methods to put victims under pressure and force them to hand over passwords and other data.
In the case of quishing, as already mentioned, QR codes are used. In practice, this means that the alleged bank emails no longer contain links to fake websites, but QR codes that lead to them as soon as they are scanned.
Security vulnerabilities as a gateway
Quishing is more attractive to criminals than simple phishing. This is due to a security gap: Virus scanners only recognize QR codes as images, they do not check the link encoded with them. Anyone who wants to use QR codes to lead people to malicious websites therefore has an easy time of it – at least with virus scanners. For you, this means that you should never rely on a QR code in an email leading to a harmless website if your virus scanner has classified it as non-threatening.
Moreover, QR codes in mails hardly arouse suspicion nowadays. We are used to switching platforms in many areas of life. In online banking, for example, it is now common to legitimize payments made on a PC on a cell phone. Accordingly, we don’t necessarily arouse suspicion when we are asked to pull out our cell phone to scan a QR code and perform an action.
Quishing also takes place in a semi-analogous space, which can be interpreted by criminals as progress. Letters tagged with QR codes are no longer an exception. Criminals can take advantage of this, setting up deceptively real-looking letters and equipping them with a QR code, which in turn leads to a malicious website.
How to recognize quishing attempts
Now that we have clarified what quishing is, another question arises: how can you recognize quishing attempts and protect yourself from them? A few simple tips will help.
- Check the sender email of mails before scanning QR codes that are inside it. In most cases, it is easy to tell here that it is a fake: Official mail addresses of existing companies cannot be used. Instead, dubious names, number-letter combinations or names that resemble the real ones, such as firstname.lastname@example.org or similar, can be found in the sending mail address
- If you have any doubts, you can contact the company or organization from which the mail is supposed to originate. Use official contact channels, which you can find on the official website. With an email or a phone call, you can usually quickly clarify whether the original contact was genuine.
- Use two-factor authentication for all major online services you use. Even if your contact information gets out of your hand via phishing or quishing, this will keep your accounts protected.