When did you last see a QR code? Where? Did you scan it? Did you use it to view train times or to enter a competition? Pay your parking? Most importantly, did you trust it? Tim Clark explores quishing.
Our modern world is full of conveniences that we don’t stop to think about. In the early days of the internet, it was common to be sent to a direct link to an organisation’s website. Today, with a limited selection of concise domains and a desire to outsource click tracking for marketing, it’s more common to use shortened links and quick-response (QR) codes. The friction encountered when navigating to a URL can make or break the customer experience.
However, taking this friction away often makes us think less when we navigate to a URL. Most people would say they are unlikely to fall for a poorly worded phishing email or text, especially if the URL is clearly fake. But what if that URL has been obfuscated by a QR code?
‘Quishing’ is a variant of phishing where an attacker either plants a QR code where one never existed, or covers an existing one with a sticker, replacing the legitimate code. It has been found on parking ticket machines, EV chargers, counterfeit parking tickets and realistic-looking bank letters.
Notably, parking ticket machines now offer payments via apps such as RingGo or PayByPhone. As network providers are decommissioning 3G data networks, many machines that use them will cease to function, and these services become the new normal. A danger lurks: as drivers defuddled by an increasing number of options seek convenience, quishing attacks become easier.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
In Southend-on-Sea, drivers who scanned one of 100 codes that appeared on parking notices were scammed. The council had to issue an alert to say they do not use QR codes on any of their parking signage. These scams have also occurred in continental Europe.
It is simple for an attacker to create a QR code on a sticker, and either replace an existing code, or place the fake one in a prominent position. Our blind focus on a task means we often scan and act quickly without thinking. Such scams are becoming so common the RAC has warned drivers to be ‘QRareful’. Drivers can even be caught twice: paying the scammer but later receiving a fine due to not actually paying for their parking.
If you don’t drive, consider how many conferences now use short links or QR codes. And how often have you scanned a QR code to receive a discount or sign up to a newsletter? These interactions can also be exploited by attackers and used to steal sensitive information or credentials. Such attacks can be targeted at senior leaders or those with privileged access to IT systems. With AI tools allowing foreign scammers to write more convincing English prose, and even build entire websites more rapidly, the threat is growing.
What can you do to protect yourself? Most of us are trained to treat suspicious email attachments and links with caution, so keep that advice in mind. Scan with caution, and use the URL preview features on your smartphone to see if a link is safe. Remember, a password manager won’t autofill on a suspicious website, so think twice before you manually copy credentials.
If scanning a QR code yields a shortened link from a service like Bitly or Rebrandly, you can often use an expander tool to see the actual URL without navigating to it. If in doubt, go to a company’s website directly, perhaps via a search engine. Search trusted app stores to download official apps, and be wary of compelling competitions and giveaways.
If it seems too good to be true, it probably is.
