QR code scams: Your smartphone could be hacked this way, how to avoid it and what you should know
In Salta, Argentina, authorities warned about a possible
QRishing scam through fake traffic tickets and the news quickly spread on social media in Mexico and other countries. Here’s how to protect yourself.
Several residents of the city of Salta, Argentina, reported having found a supposed “fine” attached to the windshield of their cars, with the legend: “Vehicle in violation. You parked incorrectly. To see your fine, scan the QR code . ”
The publication also warned that there have been no official complaints yet, as confirmed by the authorities, but the Public Prosecutor’s Office of Salta preferred to take the lead and published a statement warning about the danger. But how does it work and what can you really do about QRishing ?
In every form of communication or messaging out there, you can be sure that scammers and hackers will try to find ways to take advantage of you, from emails to text messages to calls. And these threats extend to QR codes , which stand for “ quick response ,” as well.
What is quishing
Earlier this year, a major US energy company was hacked using a QR code, and security analysts are warning that these attacks, known as quishing , are on the rise. Quishing is a combination of the terms “QR code” and “ phishing , ” where malicious actors “fish,” often via email, for private information and personal data .
As if we didn’t have enough to worry about already, we now need to be on guard against quishing . The good news is that the security practices you’ve hopefully already implemented will help you here, too.
How QR code scams work
By now, we should all be familiar with QR codes: that black-and-white grid that acts as a kind of hieroglyph that your phone’s camera or other device can translate. Most often, QR codes are transformed into a website URL, but they can also be used to direct you to a plain text message, app listings, locations, and more.
This is where the trickery creeps in: QR codes link to fraudulent websites just as easily as they do to authentic ones , and you don’t always know which one it is before you visit it. Scanning a QR code will often bring up a URL that you can view, but it’s rarely clear at first glance how safe the address of that page is.
And you don’t need anything special to create a QR code. The tools are widely available and easy to use; creating your own isn’t much more complicated than scanning one. If you wanted to generate a QR code that leads to a malicious website, it would only take a couple of minutes. And it could be stuck on a wall, attached to an email , or printed on a document, ready for scanning.
The goals of these websites are the same as ever: to get you to download something that will compromise the security of your accounts or devices, or to enter login credentials that will then be transmitted directly to the hackers – most likely through a fake site, set up to look authentic and trustworthy. The intended end results are the usual ones, but the method of getting there is different.
How to avoid hacking using QR codes
The security measures you already have in place in other situations are the same ones that will protect you from QR code hacking. Just as you would with emails or instant messages, be wary of QR codes if you don’t know where they came from — perhaps attached to suspicious-looking emails or on websites you can’t verify. The QR code on your local restaurant’s menu, on the other hand, is highly unlikely to have been generated by hackers .
Of course, there’s always the chance that friends, family, and colleagues’ accounts have been compromised, so you can never be 100% sure that a QR code message is authentic. Scams typically aim to incite a sense of urgency and alarm – something like: ‘scan this QR code to verify your identity’, ‘prevent account deletion’, or ‘take advantage of this limited-time offer’.
Your digital accounts should be as secure as possible, so if you do fall victim to a QR code scam, you already have the right security mechanisms in place. Enable two-factor authentication on all accounts that offer it, check that your personal details are up to date, such as backup email addresses and phone numbers that can be used to recover your accounts. Sign out of devices you no longer use; it’s also a good idea to delete old accounts you no longer need.
Finally, keep your software up to date – something that’s thankfully now very easy to do. The latest versions of popular mobile browsers incorporate technology to detect fraudulent links – these built-in protections aren’t foolproof, but the more up-to-date your browser and mobile operating system are, the more likely you are to receive an on-screen warning if you’re about to visit an unsafe part of the web.