Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Phishing has been around for a very long time, and it has taken on numerous forms over the years. In this go-round, the attacks use QR codes, aka quishing.
What is quishing?
Since QR codes are nearly everywhere to provide users with easy access to information they need to access, people are prone to scan them without second-guessing their purpose.
Seeing this vulnerability, bad actors have chosen to imitate those helpful QR codes, only to lead the person who scans it to a spoofed site, steal their information, or install malware on their device.
That's quishing. Fooling a person (or a number of people) into thinking something is harmless (or necessary), but the true intent is far from innocent. The goal is to access your information, steal your bank account credentials, and much, much more.
What are some quishing attacks to be on the lookout for?
According to the FTC, there have been reports of scammers covering QR codes on parking meters, which are there to enable people to pay for the parking spot, with their own, malicious QR code stickers.
The FTC also said another common quishing attack involves sending victims a QR code by text message or email with an urgent reason that they'd have to scan it.
Some reasons include saying you need to scan the code to reschedule a package delivery, pretending there's a problem with your account and you need to scan the code to confirm information, or saying that they noticed suspicious activity on your account and you should change the information.
The key factor is the sense of urgency the scammer creates in the message to get the user to scan the QR code and enter their personal information as soon as possible without thinking.
Of course, these aren't the only ways a threat actor could use a QR code to dupe people into falling for their scam. Ultimately, any QR code you see in the wild could be compromised.
Why is this a problem?
QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes, so consumers can access manuals on their phones.
We've all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is…very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless.
Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks.
What can you do?
The simplest thing you can do is not scan QR codes…especially those from unknown sources. Specifically, the FTC recommends that if you see a QR code in an unexpected place, you inspect the URL before opening it.
When inspecting the link, some things to look out for include making sure you recognize the URL, and even if you do, look for misspellings or a switched letter.
The FTC also advises that if you receive an unexpected email or text with a QR code, don't scan it, especially if it urges you to act immediately.
If you think that the message looks legitimate, you can verify the validity of the sender by using a phone number or website that is confirmed to be authentic to verify the information.
Legitimate companies will always send instructions on doing whatever it is you need to do. And most companies are not going to send a QR code so you can verify your account. Just like SMS messages from unknown sources, those QR codes could be hiding dangerous intent. So, unless you are 100% certain of the source of a QR code, never scan it with your phone.
Another tip is if you receive an email with a QR code that purports to be from Company X, but you look at the sender's email, and it's from Gmail or some random (unknown) domain, chances are pretty good that's a quishing attack.
Lastly, the FTC recommends you protect your phone and accounts by updating your phone to its latest OS and placing strong passwords and multifactor authentication on your accounts.