QR codes have come a long way since being invented in 1994 by a subsidiary of Toyota. Initially introduced to address some limitations of barcodes during the car manufacturing process, QR codes have since become staples in people’s day-to-day lives.

The introduction of high-powered cameras to most modern smartphones is what allowed these codes to gain new uses. QR codes, easily generated and cost-free, provide a convenient solution to redirect users to an otherwise long or complicated URL.

While these black-and-white squares initially saw slow adoption, their usage has exploded for wide-ranging applications, from advertisements to restaurant menus.

This increased presence was also correlated with a dramatic increase in cyber attacks using this technology. In September 2023 alone, these attacks have grown by 51%.

This article will explain how hackers leverage QR codes to lead cyber attacks, how you can detect them, and the best practices to remain protected.

What is Quishing?

Quishing is a variant of phishing utilizing QR codes that deliver malware or redirect the victim to a fraudulent or spoofed website. These malicious QR codes are disseminated through various methods, like posters in public places, regular mail, emails, and even stickers applied over existing QR codes displayed in restaurants to access menus.

As the use of QR codes increased, people have let their guard down. While they might be cautious of clicking a link proposed to them, QR codes don’t yet elicit the same vigilance.

3 Examples of Quishing

QR codes are an incredibly versatile technology with a wide range of uses. These codes provide great convenience and are often used in situations meant to save time for the user, which can lead the person scanning a QR code not to take the time to analyze it properly.

Here are the most common QR scam situations:

QR code login

With an increasing reliance on computers to work and execute simple, mundane tasks, people have to remember a large amount of passwords. For this reason, many of the most commonly used apps and software now offer an alternative QR code login.

This method allows users to scan a QR code displayed on their computer to log in automatically through fingerprint or facial recognition or via an existing logged-in session on their smartphone or an authenticator app.

Hackers have been known to create fake QR codes, usually sent via emails, masquerading as a standard or familiar app to get them to scan it. Victims are then taken to a fraudulent website presenting an error and asking them to re-enter their credentials to steal them.

Physical QR codes

This method involves a QR code on a flyer, letter, sticker, or poster with an attached offer like a gift card or simply access to required content like a restaurant’s menu. These attacks usually lead victims to websites infected with malware downloaded on the affected phone to steal information.

Fraudulent invoices

Hackers have also been known to send fake invoices to various companies with a fraudulent QR code redirecting users to a fake payment page. Victims then enter their credit card or banking information, making the attack successful.

4 Ways to Stay Protected Against Quishing

QR codes are very efficient and convenient and will likely not be going away from our daily lives. For that reason, it’s a good idea to brush up on a few best practices for QR code scanning:

Think before you scan

Before you scan a code, think about the situation. Is it a typical QR code application? Does it make sense for a business to rely on one instead of simply displaying a URL? Is the code present in a business or institution you know or trust? Does this business usually rely on QR codes?

If you are unsure about any of these questions, it’s probably a good idea to hold off scanning the code and typing in the URL to find the content you’re looking for. It only takes a few more seconds, and it’s much safer to do.

Only scan trusted QR codes

Just like you wouldn’t visit a URL that seems fishy, you shouldn’t scan a QR code without knowing exactly where it’s taking you. QR codes are often displayed in public spaces, which makes them easy to modify.

Before scanning a QR code, always check if it seems to have been tampered with or if a sticker has been applied over the original document.

Use a secure QR code scanning app

Most camera smartphone apps can now scan and open QR codes. However, most of them lack basic security features for this capability. Download a dedicated QR code scanning app from a reputable company for this specific purpose.

These apps come equipped with features like URL preview before thoroughly scanning the code and warning messages if the URL seems fraudulent.

Use mobile security apps

As smartphones have become ubiquitous, hackers have increased their efforts to hack them. In fact, smartphones are now more likely to be hacked than computers because most people have little or no cyber security measures on their phones.

Even without the fear of quishing, it’s a good idea to download a mobile security app to your smartphone to be alerted of fraudulent URLs, downloads, and other suspicious activity so you can catch it before it does serious damage to your device.

Understanding and Mitigating Quishing Risks

As the world relies on internet connectivity more than ever, QR codes will only become a bigger part of our lives in the coming years. If users aren’t informed about the risks they pose, this technology is sure to become a significant commonplace cyber threat.

While the growth of mobile devices has benefited individuals and businesses alike, the omnipresence of this technology must be backed with renewed cyber security awareness training. Malicious QR codes are only one of the symptoms of the increased reliance on mobile devices worldwide.



Equip your team with the knowledge to recognize and dodge these attacks

starting with this no-strings-attached 30-day phishing simulation on us.