
Getting To Know QR Phishing: The Threat Of Quishing & How to Avoid It
Jakarta, CNBC Indonesia – A QR (Quick Response) code is used to store data that can be read by devices such as smartphones or scanners. Users simply scan this code to access the information embedded in it, such as a website URL, text, or contact details. Due to its ease and speed of use, QR codes are often used for digital payments, marketing, and information sharing in various fields.
Seeing the increasing use of QR codes, cybercriminals are also running attacks that target users in more sophisticated ways. They insert fake QR codes in public places, such as restaurants, posters, or advertisements, to direct victims to malicious websites that can steal personal information or commit financial fraud.
These attacks often occur without the user’s knowledge, because they believe that the QR code is safe. Once scanned, users can be directed to a phishing page that looks like an official site, where they are asked to enter login credentials or other sensitive information.
What is QR Phishing (Quishing)?
Quishing or QR phishing is a cybersecurity threat in which an attacker uses a QR code to redirect victims to a malicious website or to ask them to download malicious content. The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use the information for various crimes such as identity theft, financial fraud, or ransomware.
This type of phishing can often bypass conventional defenses, such as secure email gateways. Typically, QR codes in emails will be treated as harmless images by many secure email gateways. Thus, users become vulnerable to this form of phishing attack.
In addition, QR codes can also be displayed to victims in various other ways. An example is a QR on a fake promotional poster that is pasted in a public space.
How Does QR Phishing (Quishing) Work?
In a quishing attack, an attacker creates a QR code that links to a malicious website. Typically, the attacker inserts this QR code into a phishing email, social media, printed flyer, or other physical object. The hacker will then use social engineering techniques to entice the victim to scan the code. For example, victims may receive an email inviting them to access encrypted voice messages via a QR code with the promise of winning a cash prize.
When victims use their mobile phones to scan the QR code, they are redirected to a malicious website. The site may ask them to enter personal information, such as login details, financial details, or other personal information. In the example above, the site might ask for the user’s name, email, address, date of birth, or account login information.
Once this sensitive information is obtained, attackers can misuse it for a variety of malicious purposes. For example, to scam people or even run ransomware attacks.
How to Avoid QR Phishing
1. Be Careful When Scanning QR Codes
Do not scan QR codes found on posters, advertisements, emails, or social media, especially if they do not come from a trusted source. Also, pay attention to the situation in which the QR code is placed; if it looks suspicious or of unknown origin, it is better to avoid it.
2. Verify the Validity of the QR Code
Before scanning, make sure the QR code comes from a trusted source. If in doubt, ask the official provider or just type in the URL provided without scanning the code. Avoid scanning QR codes that appear in suspicious emails or offers that are too good to be true.
3. Use Security Software That Can Detect QR Phishing Threats
Install a security app on your phone that has a QR scanner feature. The app can analyze QR codes before opening the associated link, helping to detect potential threats such as malicious sites or phishing attempts. That way, you can reduce the risk of being hit by a Quishing attack.
Why is QR Phishing Dangerous?
QR phishing, or quishing, is a serious threat that can have a detrimental impact on both employees and companies. This attack has the potential to direct employees to malicious websites, where they may be asked to reveal sensitive information such as passwords, financial data, or other personal information. When this data falls into the wrong hands, it can risk cases of identity theft, financial fraud, and reputational damage to the company.
For companies, QR phishing attacks not only threaten data security but can also cause operational disruptions. The cost of recovering from such attacks can be very high, including investigations,data recovery, and security system enhancement. In addition, if customer data is involved, customer trust in the company can be compromised. This can have a negative impact on long-term business relationships.
SOURCE : CNBC INDONESIA