Quishing attack (QR code scam)

Estimated reading time
 5 min

Have you ever been caught in a quishing attack without even knowing it? 

Imagine this: you're about to order lunch and see a QR code on the table inviting you to scan for the menu. It seems quick and harmless. But that simple scan could lead you to a fake website designed to steal your personal information. While most QR codes are safe, cybercriminals are increasingly using them in scams—known as QR code scams—to trick unsuspecting users. Understanding how quishing attacks work is the first step to staying safer online.
 

What is quishing attack or a QR code scam?

Quishing, a term that combines QR and phishing, refers to a social engineering tactic where attackers embed malicious links within QR codes. These deceptive codes might appear in emails, on printed materials, or across digital platforms. When scanned, they can sometimes direct users to fraudulent websites or prompt the download of harmful software. This is known as a quishing attack, or more simply, a QR code scam. Since QR codes typically hide the actual web address, they can make it easier for malicious activity to go unnoticed.

What is a QR code?

A QR (Quick Response) code is a type of two-dimensional barcode that can be scanned using a smartphone or device with a camera. It provides a quick and convenient way to access information with just a quick scan.

How is a quishing different from text-based phishing?

While both are phishing attacks, the main difference is the delivery method:

• Text-based phishing uses links in emails or messages.
  
  
• Quishing hides the malicious link inside a QR code, making it harder to detect.

Why might a quishing attack be a concern?

QR codes are everywhere these days, from menus and event check-ins to office printers, and their popularity has attracted the attention of cybercriminals.

• Many email security systems may have limitations in detecting threats hidden within image-based QR codes.
  
  
• Fake codes can be placed over real ones in public spots.
  
  
• Sometimes, the QR code might be part of a phishing email on a work laptop but gets scanned on a personal phone. Or someone might scan a code sent to their private email using a work device. This kind of crossover between devices isn’t always covered by security tools, and it can make things harder to track or manage. 

How can you help reduce the risk of a quishing attack?

Although no solution is completely foolproof, there are several practices that may help individuals and organisations reduce the risk of being affected by a quishing attack:

• Check the web address displayed after scanning a QR code and before proceeding. If the web address seems suspicious or unusual, it may be safer to avoid interacting with it.
  
  
• Exercise caution when scanning QR codes, especially those that appear unexpectedly or are associated with time-sensitive requests.
  
  
• Consider typing web addresses manually if prompted to log in or make a payment, particularly for sensitive transactions.
  
  
• Use official app stores rather than QR codes when downloading applications.
  
  
• Stay current with device updates and security patches, which may help limit exposure to known vulnerabilities.
  
  
• Promote awareness and training among employees, friends, and family about the potential risks related to QR code misuse.
  
  
• Explore tools such as secure QR code generators when distributing your own QR codes to help reduce the risk of tampering.
  
  
• Enable multi-factor authentication for all accounts you have, where possible.

At the end of the day, it’s really about staying curious and informed. Asking a few questions before you scan can sometimes make a big difference.
 

How to detect a quishing attack?

Here are signs that a QR code might be part of a scam:

• The message urges you to act quickly or threatens consequences.
  
  
• The QR code comes from an unknown or suspicious source.
  
  
• The website you land on looks unusual or asks for sensitive information.
  
  
• The QR code is placed over another code or sticker in public.

What happens if you scan a fraudulent QR code?

If you think you have been scammed, first of all, try not to blame yourself. Even tech-savvy people sometimes scan the wrong QR code without thinking, and can find themselves caught in a scam. 

• If you have shared financial information or believe you have transferred money to a cybercriminal, notify your bank immediately. If you are an ANZ customer, please contact us immediately to report the fraud.
  
  
• If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more.
  
  
• Change passwords for all accounts that may have been compromised, including banking, email, and social media accounts. 
   

Who can you contact if you’ve been impacted by a QR code scam? 

• Report the QR code scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.
  
  
• Help others by reporting to Scamwatch to help them prevent future losses, monitor trends and educate the population about emerging threats.
  
  
• For phishing or identity theft associated with government accounts such as Centrelink, Medicare, or Child Support, contact the Services Australia Scams and Identity Helpdesk on 1800 941 126 or visit their website.
  
  
• You can also contact IDCare, a not-for-profit organisation that provides support to those experiencing identity and cyber security concerns.

Final thoughts

QR codes can be super handy, and many of them are likely safe. But like anything online, a little awareness can go a long way. If something feels off, it might be worth checking twice before scanning once.