An new cyber threat appeared in the world of cybercrime. It's about the Quishing, a term derived from the combination of “phishing” and “QR Code”, and represents a new type of attack by cyber criminals.
The scammers can create fake QR Codes which, when scanned, lead users to websites that are malicious or require the entry of sensitive personal information which is then promptly stolen.
However, before going into the details of quishing, let's explain what QR Codes are.
What is QR Code
Il QR Code, which stands for Quick Response Code, is a form of two-dimensional barcode, composed of black modules on a white background, which can be read quickly from an optical device, like a smartphone camera.
The main use of QR codes is provide an efficient way to store and exchange information. When a device reads the QR code, it can quickly interpret the content and perform specific actions, such as opening a website, displaying a message, or adding contacts.
I codes can contain a variety of information such as web links, text, phone numbers, tickets, etc. QR codes have become part of our daily lives, widely present in restaurants, public transport, advertising and even on product packaging and also to access services with public administrations. This widespread use has instilled a sort of trust in their contents, since the information hidden behind the grid of black and white dots appears impenetrable to the naked eye.
Hackers are thus exploiting users' widespread habit of scanning QR codes daily to scam people more effectively.
Quishing: a new form of Phishing
To explain the new cyber threat we must start from a basic concept: the quishing is a form of phishing.
Phishing is a form of social engineering in cybersecurity, in which malicious actors manipulate people into obtaining sensitive information, such as passwords, or into installing malicious software. Over the years, phishing has taken various forms and its latest evolution is quishing.
However, the final goal is always the same: to gain access to personal information, steal banking credentials or carry out other malicious actions.
How quishing works
The Quishing process begins with the creation of a Fraudulent QR Code. Creating a QR Code in itself is very simple and accessible to anyone through numerous online sites. Furthermore, the image format used makes it difficult for antiviruses to detect it.
Once the user frames the code with their smartphone's camera, they are redirected to a malicious website. Here, you may be asked to enter sensitive information or allow malware to be downloaded that will infect your device.
Currently, the most attacks occurs through cyber criminals sending QR codes through email. These emails typically conceal urgent requests for account verification, threatening recipients with imminent ban if they do not act promptly.
Quishing, however, can manifest itself in different forms, including theuse of malware via QR Codes designed to infect the victim's device while scanning the code. Other modes include the dissemination of misleading advertising through QR Codes present in ads, which can direct users to fraudulent sites that simulate advantageous offers in order to collect sensitive or financial information.
According to research conducted by Harmony Email, Quishing has recorded a worrying del% increase 597. This alarming data highlights how cybercriminals are increasingly exploiting QR Codes for their scams, taking advantage of the trust that people have acquired towards these two-dimensional codes.
How to protect yourself from Quishing
The phenomenon of QR Code scams is growing rapidly, with thousands of attacks occurring in recent months, according to some cybersecurity companies. The Postal Police warns that to avoid falling for such scams, it is essential adopt the same defense practices used against phishing and smishing. In particular, it is recommended to carefully check the email address, as the QR Code is often sent via email. It is therefore important to pay attention to URLs that are abbreviated or different from the official domain.
The general rule is that avoid entering personal data on sites where you are not 100% safe. QR Codes generated by secure applications usually do not lead to sites that require login or payment credentials. The important thing is always
Here are some practical tips:
- Check the source: Before scanning a QR Code, make sure it is from a reliable source, especially if received via email or text.
- Avoid sensitive information: avoid entering personal or financial information on sites reached via QR Code, unless their authenticity is 100% guaranteed.
- Keep your software updated: Regularly update your device software, including the QR Code scanning application, to ensure maximum security.
- Be cautious with offers that are too tempting: carefully evaluate the legitimacy of QR Codes that promise extraordinary offers and be suspicious of situations that seem too advantageous.
- Configure Email Security: Configure security options within the app for scanning QR Codes, for example requiring the full web address to be displayed before confirming any action.
But the risk associated with codes is not limited to email. QR Codes yes I can toofind in public spaces. In this case use common sense is critical.
The safest approach is Avoid scanning QR codes, especially those from unverified sources. If necessary, scan it only after validating its source and do so with caution and only when absolutely necessary.
