“Quishing” and other QR Code Phishing Scams

November 2nd, 2023 | Myriad Advisor Solutions

As a trusted technology support provider for countless businesses of all sizes, Myriad Advisor Solutions endeavors to keep you ahead of cyber criminals and their evolving tactics. While they had been around before, the pandemic made QR codes an integral part of everything from ordering at restaurants to transmitting your business’s contact information. But as they’ve become more ubiquitous, so have QR code-based phishing and scamming attacks.

There are several different forms of QR Scams. QR phishing, known as ‘Quishing,’ happens when a scammer tries to entrap a victim by posing as a credible company an individual person, or even something generic like IT Admin. For example, they might pose as a payment company asking for you to re-enter your information. Payment scams are when a fraudulent QR is put in a public space to trick customers into paying them instead of the business. (Think parking garages.) Giveaways, such as receiving a physical package with a QR Code for more information about the contents or digital ‘double your crypto’ scams, are a popular way to fool people. Finally, criminals might place QR codes on physical and digital messages asking for donations to a charity that doesn’t exist. Clicking on these QR codes may lead to a page that appears to be a Microsoft account login, but it's actually a scam designed to trick people into revealing their Microsoft account username and password directly to scammers. Microsoft never solicits login information via email. When encountering something similar, the best course of action is to contact your IT administration.

These attacks can be on both an individual basis and a massive scale – just ask the University of Pittsburgh’s Information Technology department. Their entire community was targeted with a Quishing attack that attempted to collect their university-related credentials. With a subject line like ‘ACT FAST NOW!!!,’ an e-mail filled with techno-speak, and the user’s Word, Excel, and PowerPoint files under supposed threat of deletion, it’s easy to understand why anyone might fall for this.

Fortunately, there are ways you can protect yourself. Double check any website that is asking for your personal information, especially one from a QR code you just scanned. Inspect the QR code itself before scanning – fraudulent QR codes might have indicators such as spelling errors. Use your phone’s native camera to scan QRs and double check the URL that pops up before clicking through to it.

All in all, applying the same cybersecurity principles of constant vigilance and verification to QR codes will help you avoid the problems we discussed here. Don’t know where to start? No problem – call Myriad at 515.850.1221 or click here. If there is ever any doubt, be sure to reach out to your IT professional.