"Verifying QR Codes Prior to Scanning: A New Normal"
In a recent alert, the Consumer Advice Centre Brandenburg (VZB) has warned consumers about a new type of phishing attack known as "Quishing." This scam uses malicious QR codes to trick victims into revealing sensitive information or installing malware on their devices.
How Quishing Works
Criminals generate QR codes containing links to fraudulent websites or malicious scripts. These QR codes are distributed through various means, such as phishing emails, fake invoices, physical flyers, stickers placed over legitimate QR codes, or unsolicited packages. When a victim scans the QR code using their smartphone, they are redirected to a convincing but fake webpage or prompted to download malware.
Victims may unknowingly enter their credentials or unintentionally install malware, leading to stolen passwords, bank data, or unauthorized payments.
Warning Signs and How to Avoid Falling Victim
To avoid falling prey to Quishing, consumers should be aware of certain warning signs:
- Unsolicited packages or messages containing QR codes, especially if you did not order anything, can be a trap to steal information.
- QR codes placed over legitimate codes in public places or unfamiliar locations should raise suspicion.
- Requests to scan QR codes that promise money transfers or require inputting sensitive data should be approached very cautiously, as fake QR codes often mimic payment or banking services but actually lead to scams.
- Lack of readable URL or suspicious short links appearing after scanning — QR codes are opaque and don’t show links beforehand, so any unexpected webpage or payment prompt should be treated with caution.
- Verify the source before scanning: Only scan QR codes from trusted sources or official documents. Avoid scanning codes sent via unsolicited emails, messages, or found on random packages.
In addition, using smartphone settings or security apps that preview URLs encoded in QR codes before opening them can help prevent Quishing attacks. Consumers should also be cautious of requests for login credentials or OTPs after scanning a QR code, as legitimate services rarely ask for these in this way.
Protecting Yourself from Quishing
To extra protect login data, VZB recommends setting up two-factor authentication (2FA) on PayPal for both payments and logins. This additional layer of security can help prevent scammers from accessing accounts without further confirmation, such as a code in an SMS or 2FA app.
Many smartphones allow users to check the link before opening it, allowing comparison with the original address. In general, VZB advises against scanning QR codes from unknown sources. Fake QR codes can be found in public places like transportation, parking meters, or even on fake parking tickets.
In summary, quishing exploits the difficulty of verifying QR codes and relies on social engineering to lure victims into scanning malicious QR codes that lead to phishing sites or malware. Vigilance about source authenticity and scrutinizing the context of QR codes are critical defenses against this scam. Stay safe and be aware of the risks associated with Quishing.
- To prevent falling victim to the Quishing scam, consumers should be cautious of QR codes appearing in unsolicited packages or messages, as they may contain malicious links or malware.
- When scanning QR codes, especially in public places or from unknown sources, it's crucial to verify the URL to ensure it leads to a legitimate service or technology.
