In the rapidly evolving digital landscape, cyber threats are becoming increasingly sophisticated. One of the latest scams gaining notoriety is "QRishing," a term that combines "QR" (Quick Response) code and "phishing," a technique used by cybercriminals to deceive people and obtain sensitive data and information.
Criminals often lure victims with promises of large prizes, disguising themselves as reputable companies, and according to the National Police, this has led to a sharp increase in these types of crimes in recent months.
What are QR codes?
QR codes offer numerous advantages in various fields due to their versatility, ease of use, and efficiency. They enable quick access to digital information simply by scanning with a smartphone or QR reader, eliminating the need for lengthy manual inputs or web searches.
QR codes are cost-effective and environmentally friendly, as they reduce the reliance on printed materials by linking users directly to websites, documents, or apps. Their broad compatibility across devices and platforms makes them a practical tool for marketing, education, and logistics. Find out more on how to create a QR code here.
QRishing is a form of phishing that uses QR codes to direct users to fraudulent websites. These small, pixelated squares are scanned with a smartphone camera, usually leading to a webpage, downloading an app, or performing another digital action.
While QR codes are generally harmless and highly useful, their growing popularity has attracted cybercriminals who have found ways to exploit this technology for malicious purposes.
The QRishing process is straightforward but effective. A scammer creates a QR code that, when scanned, redirects the user to a fake website. This site may closely mimic a legitimate login page for a bank, social network, or e-commerce portal. Once the victim enters their credentials or personal information, the scammer has all the data.
Unlike traditional phishing, where the user must click on a suspicious link in an email or text message, QRishing capitalises on visual trust and user curiosity. Since QR codes don't display the URL they link to, it’s difficult for victims to determine if the destination is safe or not.
QRishing can happen anywhere a QR code is present. Attackers often place these codes in public places, such as posters, advertisements, and even on restaurant tables. Sometimes, they simply cover a legitimate QR code with a fake one, taking advantage of the fact that most people don't scrutinise QR codes before scanning them, or the links before opening them.
With the rise of remote work and digital processes, QRishing has also made its way into emails and text messages, where attackers send QR codes as part of supposed security procedures or special offers.
In response to the growing number of reports, the National Police have issued ten tips to help avoid becoming a victim of QRishing:
1. Be wary of promotions received via email or social media: They may include a link to a fraudulent website designed to steal your personal and financial information. Instead of clicking the link, find the offer directly through your browser.
2. Avoid falling for deals that seem too good to be true: Scammers often create fake e-commerce sites offering popular items at steep discounts, then disappear after collecting victims' money.
3. Watch out for "typosquatting": Ensure the URL is correctly spelled when entering a website, as a small typo can lead you to a malicious site.
4. Stay alert to QRishing: Scammers can manipulate QR codes to make you download malicious software or redirect you to a fraudulent website to steal your sensitive data.
5. Be cautious with SMS or emails from delivery companies: Especially during busy shipping periods, as these might be phishing attempts. Avoid clicking on any links.
6. Pay attention to the design of online stores: Poor-quality images, poorly translated texts, or missing tax identification numbers should raise red flags.
7. Ensure that discounts apply to the price, not quality: The quality of products and consumer rights should remain unchanged.
8. Look for the padlock icon and "https" in the URL: This indicates that you are on a secure website.
9. Be cautious: If a website seems suspicious and only asks for your card or bank details, don’t use it.
10. If you become a fraud victim: Immediately change your passwords, cancel your credit or debit card, contact your bank, and report the incident to the National Police.
As QRishing continues to spread, these preventive measures are crucial for safeguarding personal information against this growing cyber threat.