QR Code Alert Phone Screen

What do you get when you combine QR codes and phishing? You get Quishing (also known as Qishing) – a new way for bad actors to steal your information. QR codes are not new on the scene – they were invented in 1994 by Japanese company Denso Wave for labeling automobile parts – but recently there have been many articles posted about the potential security risks involved with them, including a warning from the Federal Trade Commission on December 6, 2023.

Scammers hide harmful links in QR codes to steal your information

How many times post pandemic have you been in a restaurant where the menu was only available via QR code on a sticker or sign located on your table? How about scanning codes on parking meters? In some cases, bad actors (hackers/scammers) replace legitimate QR codes with links to fake websites that look real – even branded with company logos, login screens, etc. When visiting these websites, you’ll often be prompted to enter your personal information or provide login credentials to your accounts. Additionally, some of these websites will automatically download malware (malicious software) with the intended purpose of stealing your personal information. 

The Federal Trade Commission suggests that you:

    • keep your phone’s operating system (OS) updated with the latest security patches
    • create strong usernames and passwords and use multifactor authentication when available

If you see a QR code or receive one electronically:

    • with your camera pointed at the QR code, pay attention to the highlighted URL that pops up. Before clicking, look closely at the URL to make sure it does not contain any misspelled words or switched letters.
    • don’t automatically scan the QR code, especially if there is a sense of urgency to respond, a request to verify your identity/prevent the deletion of your account, or the opportunity to take advantage of a limited-time offer
    • contact the company directly if you notice discrepancies between the sender’s email address and the company name/domain
    • if anything in the message raises concerns, go directly to a company’s website, instead of scanning the QR code 

In this day and age, it is essential that you approach any electronic communication with caution. Bad actors are always phishing for your personal information, and it is up to you to get into the habit of being mindful and proactive when it comes to protecting your personal accounts and data. 

Remember, it is not only important to practice these habits yourself; our students need to develop good habits as well to start protecting their personal information at an early age. You can start a discussion using this tip sheet from Common Sense Media.