What is a Quishing Scam, How to Avoid, Spot & Report It

Quishing is a type of phishing attack that uses QR codes instead of text-based links in emails, digital platforms, or on physical items to trick users into divulging sensitive information or downloading malware. It is a form of social engineering that exploits the convenience and speed of QR codes to bypass email filters and security measures, often using emotional manipulation to persuade victims to scan malicious codes.

What is a Quishing Scam, How to Avoid, Spot & Report It

Quishing attacks can take various forms, such as fake login pages, downloadable viruses or malware, or requests for personal information or payment. They may be distributed through emails, text messages, signage, or even in-person encounters, often disguised as legitimate sources or offering attractive deals or discounts.

How to avoid quishing scams

To avoid falling victim to quishing scams, which use QR codes for phishing, here are some important tips:

  1. Inspect QR Codes: Before scanning any QR code, especially in unexpected places, carefully check the URL it leads to. Look for spelling mistakes or altered letters that could mean it's a fake website.
  1. Avoid Unsolicited QR Codes: Don't scan QR codes in emails or text messages that you weren't expecting, especially if they say you need to act right away. Verify the source before scanning.
  1. Verify Public QR Codes: When scanning QR codes in public places like restaurants or parking meters, make sure they are real and haven't been tampered with by scammers. Be careful of QR codes on stickers that may lead to harmful websites.
  1. Keep Software Updated: Regularly update your phone's operating system to protect against vulnerabilities that hackers could use. Also use strong passwords and enable multi-factor authentication for extra security.

Following these steps can help reduce the risk of falling for quishing scams and protect your personal information from cybercriminals. To avoid falling victim to quishing scams, it's crucial to verify the safety of any QR code before scanning it. Check out our guide on "How to Check if a QR Code is Safe" for detailed steps.

Common tactics used in quishing scams

  1. Fake QR codes: Scammers create QR codes that look real but lead to fake websites or malware. They can spread these codes through emails, texts, or in public places.
  2. Urgent messages: Scammers create a sense of urgency, telling people to scan the QR code right away to fix an issue with their account or to reschedule a delivery.
  3. Fake websites: After scanning the QR code, people are taken to a website that looks like a real one, such as a bank's login page. This is used to steal their login details and personal information.
  4. Malware downloads: People may be asked to download an app or software after scanning the QR code, which can infect their device.
  5. QRLJacking: This is a more advanced form of quishing that targets Quick Response Login (QRL) systems. Hackers can start a session on the target website or app, copy the QR code, and change it to send people to their own server. This can give them access to the victim's account if they don't have multi-factor authentication.
  6. Dynamic QR codes: Scammers can change the source of these QR codes to redirect people to malicious sites, leading to identity theft or malware.

To avoid quishing scams, it's important to carefully check QR codes, verify the source, and avoid scanning codes in unsolicited messages or public places unless you're sure they're safe. Keeping your software up-to-date, using strong passwords, and enabling multi-factor authentication can also help protect you.

How to report a quishing scam to the authorities

To report a quishing scam to the authorities, follow these steps:

  1. Report to the Federal Trade Commission (FTC): Visit the FTC's website at reportfraud.ftc.gov to report the scam, a company, or an unwanted call. The FTC uses these reports to investigate and bring cases against fraud, scams, and bad business practices. While they can't resolve your individual report, they share the information with over 2,800 law enforcers.
  2. Report to the Internet Crime Complaint Center (IC3): The IC3 collects reports of internet crimes from the public. They use these complaints to help the Recovery Asset Team freeze hundreds of thousands of dollars for cybercrime victims. You can report quishing scams to the IC3.
  3. Report to the FBI: If you or your organization is the victim of a network intrusion, data breach, or ransomware attack, contact your nearest FBI field office or report it at tips.fbi.gov.
  4. Report to the Anti-Phishing Working Group (APWG): Forward any phishing emails to [email protected]. The APWG includes ISPs, security vendors, financial institutions, and law enforcement agencies.
  5. Report to the company or person being impersonated: Let the company or person that was impersonated know about the phishing scheme.

By reporting quishing scams to these authorities, you can help protect yourself and others from these cyber threats.