Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
I remember a couple of Super Bowls ago when the hosting network displayed a company ad that was nothing more than a QR code. Even back then, I said to my wife, "Oh, boy, this could get ugly." The point was that, like all things, QR codes always seem innocuous…until they aren't.
Folks, we've arrived at that point where QR codes have started being weaponized in phishing attacks.
First, a bit of backtracking.
What is phishing?
For those who haven't heard the term, phishing is a type of social engineering attackers use to deceive people into revealing or handing over sensitive information (such as usernames and passwords) or even installing malicious software.
Phishing has been around for a very long time and it has taken on numerous forms over the years. In this go-round, the attacks use QR codes, aka quishing.
What is quishing?
Consider the QR code aired during the Super Bowl. Now, imagine the company behind that commercial had malicious intent (just to be clear, the company behind that commercial did not have malicious intent). Say, for example, the QR code displayed during the ad opened your phone's browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the Super Bowl, the outcome of that attack could have been disastrous.
That's quishing. Fooling a person (or a number of people) into thinking something is harmless (or necessary) but the true intent is far from innocent. The goal is to access your information, steal your bank account credentials, and much, much more.
Why is this a problem?
QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes, so consumers can access manuals on their phones.
We've all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks.
At the moment, most quishing attacks involve criminals sending a QR code via email. Most often those emails act as a call out for users to verify accounts and that the user in question must act within a certain time frame or their account will be locked or closed. The idea is that a user would see the QR code in their desktop email and scan the code with their phone. Once scanned, the QR code would wreak havoc on the device.
Of course, that's not the only way a threat actor could use a QR code to dupe people into falling for their scam. As I said, QR codes are everywhere. What's stopping a cybercriminal from plastering QR codes everywhere, knowing some innocent bystander would scan the code to unleash whatever attack was planned?
What can you do?
The simplest thing you can do is not scan QR codes…especially those from unknown sources. The only time I ever scan a QR code is after I've verified the source. Even then, I'll only scan it if I absolutely have to.
If you receive an email with a QR code, the first thing you should do is verify the validity of the sender. For example, if you receive an email with a QR code that purports to be from Company X but you look at the sender's email and it's from Gmail or some random (unknown) domain, chances are pretty good that's a quishing attack.
My best advice is that any QR code in an email should never be scanned. Legitimate companies will always send instructions on doing whatever it is you need to do. And most companies are certainly not going to send a QR code so you can verify your account. As for the random QR codes you encounter in the world? Just don't. If you allow your curiosity to get the best of you, you might not enjoy the consequences.
Just like SMS messages from unknown sources, those QR codes could be hiding dangerous intent. So, unless you are 100% certain of the source of a QR code, never scan it with your phone.