What is ‘quishing,’ the latest cyber-scam you need to know about?

With payments going digital in many parts of the world, we’ve had a lot of perks. Transactions have become quicker than ever, and finding change is a thing of the past. That said, there are some cons too – the latest being fraudulent QR codes used to dupe unsuspecting users.

In a new kind of cyber-attack called ‘Quishing’ or QR code phishing, fraudulent QR codes have been tethered to everyday spots, leading people to make payments to the wrong credentials, or worse, a site that steals your personal data.

Here’s everything you need to know about quishing, and how you can stay safe.

What is quishing?

As you probably already know, QR codes are basically compressed information and URLs that can quickly take you to a specific page. This could be a payment platform, a restaurant’s digital menu or pretty much anything else.

ALSO READ: ‘GTA 6 for macOS’ is actually a dangerous password-stealing malware in disguise

The versatility of QR codes are, however, a double-edged sword. This is because a QR code with malicious intent will look as unsuspicious as a legitimate one. This is why many attackers are now using QR codes to lead people to malicious websites.

As explained above, these websites can again be phishing sites (fake websites made to look identical to their original counterparts) which can then ask unsuspecting victims to input their personal data, credentials or other information, all of which can then sent be sent directly to the attacker – all without a victim even knowing he/she was attacked.

What spotting a malicious QR code is difficult?

As good as phishing links are, there are a few ways to spot them. For starters, the URL will usually have an incorrect spelling (like www.faecbook.com) which many may not notice in a hurry. This alerts you to the fact that you may be clicking on a malicious URL. However, QR codes give you no such indication.

ALSO READ: 10 online holiday scams and how to avoid them

This is because all QR codes look just as abstract. Unlike URLs, there are no letters to read, and just black and white squares that people cannot make heads or tails of. This is why most people may not realise they have scanned a bad QR code until it’s too late.

Such QR codes may be stuck outside your favourite store, under an advertisement on public transport, or other similar areas. This is why quishing is such a big problem in many regions, including the UK.

What you can do to avoid being a quishing victim

Until the internet comes up with some way to verify QR codes before they are scanned, there are some steps you can take to avoid scanning a malicious one.

If you’re at a store, always make it a point to ask the shopkeeper or any other relevant person if the QR code you’re about to scan with your smartphone is the right one. You can avoid a lot of fake QRs by this simple step, and also alert establishments who themselves may not know if an attacker has left any such QR codes in the premises.

Check what kind of link the QR code takes you to. If it’s a payment link, it should only take you to a payment platform like Google Pay, Paytm, etc. If it’s a webpage link, it should only take you to the right webpage.

In the case of payment QR codes, it is also a good practice to check the name of the receiver with the establishment. Whether you’re paying at a store, or to your cab driver, a simple affirmation with the name of the individual or establishment, will help you avoid any trouble later.

If the QR code takes you to a link, you can now also check the URL manually, as you would with any other link. That is all you need to know about quishing for now.