If you immediately think of email when you think of phishing, you’re not alone. However, a new form of a text-based scam is making waves – highlighted by a seemingly legitimate text from the USPS, which lets receivers know that their “package” arrived at the warehouse. To receive the package, it instructs users to click on a link to enter their information for delivery.
This is just one of many examples of an attempt at a phishing attack – a kind of scam where attackers attempt to get users to reveal personal information – such as login credentials, credit card numbers or Social Security numbers – or to trick users into taking an action, such as downloading malware or sending money. Due to the relatively low cost and high success rate, phishing attacks are the most common way online accounts are breached today.
While most phishing attacks come by email, including deceptive links or attachments, others are sent by text message – like the one mentioned above – or even a telephone call. Phishing attacks can look like real emails, messages or websites from familiar brands; in fact, 44 per cent of people think an email is ‘safe’ if it comes from a trusted brand.
Now, another new kind of phishing attack is on the rise and it’s coming from an unexpected source: QR codes.
What are QR codes and how are they used for phishing?
QR codes are a type of barcode displayed in a square-shaped grid that can be read by a camera, typically on a smartphone. QR codes can store plain text or links to download an app, access product information or a menu, send or receive a payment, join a Wi-Fi network, log into an account (e.g. loyalty program) or support mobile ticketing, just to name a few.
In 2022, 83.4 million US smartphone users scanned a QR code, a figure expected to reach 99.5 million in 2025. Unsurprisingly, as QR codes grow in popularity, they have become the latest ‘lure’ for phishing attacks as a way to take advantage of users becoming more comfortable using them.
QR code phishing attacks, also known as “quishing,” leverage physical or digital QR codes to lure users to fake websites designed to steal sensitive information or to infiltrate a device and infect it with malware.
Like with other kinds of phishing, this kind of attack leverages trust—trust in the QR code itself as well as the brand attached to it. Further, many attacks rely on creating a sense of urgency around a supposed benefit (e.g. contest) or consequence of not taking action (e.g. locked account). September 2023 saw a 51% increase in quishing attacks, compared to the cumulative figure for January through August 2023. Furthermore, malicious QR codes represented 9.5 per cent of all QR codes scanned in September 2023.
What does a QR-based phishing attack look like?
QR code phishing leverages a widely-used form of technology that elicits a form of ‘trust’ where attackers either place new, malicious QR codes into physical locations that make them appear trustworthy or send malicious QR codes as part of an email or text phishing attack. Let’s look at some examples:
1 .Physical QR Code
A QR code is attached to the door of a bank. When scanned, the QR code asks the user to sign into their bank account to enter a contest to win $100 that would be automatically deposited into their bank account. The website looks branded with the bank details. However, this QR code is actually fraudulent and all the banking details entered can now be used for fraud.
2. Digital QR Code
The user receives an email from their favourite retailer that contains a QR code to sign up for a new loyalty program. When the user scans the code on their computer screen, they are prompted to enter their personal details, including name, address, username and password.
Similarly, this email contains a fraudulent QR code and is a phishing attack, similar to all other forms of phishing attacks, just leveraging new technology. Those details can now be used to access the retailer’s website and any information stored there, including credit card details. If that password is re-used across other websites, which 39 per cent of people admit to doing, it could be used in other instances of fraud. Further, the personal information may be sold on the black market to be leveraged by others in future phishing attacks.
How can you protect yourself from QR code phishing attacks?
1. Consider and verify the source is legitimate
While QR codes themselves cannot be hijacked, it is very easy to place a new and fraudulent QR code sticker over a legitimate source. QR codes that are sticker-based, unbranded or placed in unusual locations should be treated with caution. QR codes from an unfamiliar source should not be trusted. QR codes delivered by email should always be treated with extreme caution, with the exception of mobile tickets that are read by third parties (e.g. concert tickets).
Whenever in doubt, ignore the “easy” way of responding to the QR code prompt and instead verify the QR code is legitimate by contacting the brand directly from their standard website, by calling customer service, or by asking an employee in person.
2. Be mindful of sharing personal information
Effectively safeguarding personal and financial information and placing trust in a website can be challenging to many people. In fact, about 32 per cent of people are not confident they could spot a fraudulent or fake retailer website. As phishing attacks become harder to identify and use new lure tactics such as QR codes, be wary of websites that ask for personal information, login information or financial details.
3. Be mindful of payment methods
While convenient, not all payment methods are protected equally. Avoid suspicious methods of payment, such as PayPal, Venmo or e-Transfer and avoid debit cards, which are not protected. Opt for a credit card with consumer protection for any purchases. Never disclose banking information or wire transfer funds due to a QR code interaction.
4. Enable strong, phishing-resistant MFA across your accounts
Wherever possible, enable accounts to use multi-factor authentication (MFA) to make it harder for phishing attacks to succeed. While any form of MFA is better than just using a username and password, not all MFA is created equal.
Look for a phishing-resistant MFA option, such as device-bound passkeys, including hardware security keys like the YubiKey, to give advanced protection to online accounts. Security keys stop phishing attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts.
For those sites that don’t yet support phishing-resistant methods, use a reputable password manager, such as 1Password, to generate strong, unique credentials per site and make logins easier between devices.
Author: Josh Cigna, solutions architect at Yubico.