Understanding quishing and how to protect yourself

After gaining renewed prominence during the pandemic, QR codes continue to be a popular and convenient way to quickly store and share information. You’ve likely scanned one of these square barcodes to view a menu at a restaurant or access a coupon. However, the technology’s widespread use has also made it a modern-day Trojan horse through which cybercriminals can gain access to sensitive information that can be used to carry out financial crimes. This new scheme is called quishing, a phishing scam that uses QR codes to lure unsuspecting victims into divulging personal information or installing malware onto their devices.

This new, sophisticated scam may take the form of a text message or email from what appears to be your trusted parcel delivery service, alerting you to a shipping delay and prompting you to scan a QR code to resolve the issue. Yet, by doing so, you could be unwittingly opening the door to cybercriminals hoping to deceive and exploit you. Fortunately, there are steps you can take to protect yourself and your organization from these types of malicious schemes, so let’s talk about some practical tips you can adopt.

Spot the signs

By using similar branding and language, cybercriminals impersonate popular parcel delivery services or other reputable institutions to successfully trick individuals into scanning seemingly innocuous QR codes, which direct victims to a malicious website designed to steal credit card information or other personally identifiable information. According to security software provider, McAfee, cybercriminals often pose as popular organizations such as U.S. Postal Service, FedEx, UPS and Amazon to appear legitimate and cast a wide net for potential victims. You may, however, avoid the trap by spotting the following signs:

• Suspicious email addresses: Check the sender’s address carefully and look for subtle misspellings or unusual domain names. Quishing emails often come from addresses that are similar, but not the same as, legitimate companies.
• Urgent or unusual requests: Be wary of emails that create a sense of urgency or pressure you to take immediate action. All messages that claim your package is delayed, lost or requires additional information should be scrutinized.
• Poor grammar and spelling: One of the most common signs of a quishing message is spelling errors and poor grammar. Remember that reputable companies usually maintain proper and professional communication.
• Generic greetings: Phishing emails are rarely personalized and often use generic greetings like “Dear Customer”. The impersonal touch can be a tell-tale sign of a scam.
• Requests for personal information: It is important to remember that legitimate parcel delivery services will never ask for sensitive information like passwords, Social Security numbers or payment details over email. Be cautious if you receive these types of requests.

How to protect yourself

To safeguard yourself from quishing attacks as official communication continues to move to digital platforms, it’s crucial to be proactive and vigilant. Let’s walk through some steps you can take to protect your personal information and avoid falling victim to one of these scams.

• Verify authenticity: Carefully evaluate the authenticity of emails and messages that include QR codes before scanning them. If you suspect the message to be a scam, contact the company you think may have sent it using an independently verified phone number or email address. Do not tap on any links in the message.
• Check URLs: Hover over links or QR codes to check the destination URL before clicking or scanning. Look for subtle spelling or grammar variations, such as fed-exdeliverynotices.com instead of the legitimate fedex.com.
• Use trusted sources: Only scan QR codes from sources you trust and have verified. Use official tracking websites and apps to track parcel deliveries whenever possible.
• Educate employees: Share this information with employees to help them understand the risks of quishing and how to identify suspicious emails or messages.
• Report suspicious activity: If you receive a suspicious email or message, notify the appropriate authorities, such as the Federal Trade Commission, or the customer service department of the alleged sender.

Stay one step ahead

As cybersecurity threats like quishing continue to grow, it will always be best practice to question the authenticity of QR codes and any digital communication that requests personal information from you. Learn to spot the signs of phishing and take proactive measures to protect yourself and your organization. Consider sharing this information with others to help spread awareness about phishing schemes and, above all, remember to stay vigilant. Your awareness and alertness are your best defenses against quishing and other cyber threats.