I remember a couple of Super Bowls ago when the hosting network displayed a company ad that was nothing more than a QR code. Even back then, I said to my wife, "Oh, boy, this could get ugly." The point was that, like all things, QR codes always seem innocuous...until they aren't.
Also: The best VPN services: Expert tested and reviewed
Folks, we've arrived at that point where QR codes have started being weaponized in phishing attacks.
Aka, quishing.
First, a bit of backtracking.
For those who haven't heard the term, phishing is a type of social engineering attackers use to deceive people into revealing or handing over sensitive information (such as usernames and passwords) or even installing malicious software.
Also: How to turn on Private DNS Mode on Android (and why you should)
Phishing has been around for a very long time and it has taken on numerous forms over the years. In this go-round, the attacks use QR codes, aka quishing.
Consider the QR code aired during the Super Bowl. Now, imagine the company behind that commercial had malicious intent (just to be clear, the company behind that commercial did not have malicious intent). Say, for example, the QR code displayed during the ad opened your phone's browser and automatically downloaded and installed a piece of ransomware. Given the number of people who watch the Super Bowl, the outcome of that attack could have been disastrous.
Also: What is the dark web? Here's everything to know before you access it
That's quishing. Fooling a person (or a number of people) into thinking something is harmless (or necessary) but the true intent is far from innocent. The goal is to access your information, steal your bank account credentials, and much, much more.
QR codes are everywhere: in restaurants, mass transportation, commercials, signs, walls, bathrooms, advertisements, and even companies ship their products with QR codes, so consumers can access manuals on their phones.
We've all just accepted the QR code. And, to that end, we trust them. After all, how harmful can a simple QR code be? The answer to that question is...very. And cybercriminals are counting on the idea that most consumers always assume QR codes are harmless. Those same criminals also understand that their easiest targets are those on mobile phones. Why? Because most desktop operating systems include phishing protection. Phones, on the other hand, are far more vulnerable to those attacks.
Also: 9 top mobile security threats and how you can avoid them
At the moment, most quishing attacks involve criminals sending a QR code via email. Most often those emails act as a call out for users to verify accounts and that the user in question must act within a certain time frame or their account will be locked or closed. The idea is that a user would see the QR code in their desktop email and scan the code with their phone. Once scanned, the QR code would wreak havoc on the device.
Of course, that's not the only way a threat actor could use a QR code to dupe people into falling for their scam. As I said, QR codes are everywhere. What's stopping a cybercriminal from plastering QR codes everywhere, knowing some innocent bystander would scan the code to unleash whatever attack was planned?
The simplest thing you can do is not scan QR codes...especially those from unknown sources. Theonlytime I ever scan a QR code is after I've verified the source. Even then, I'll only scan it if I absolutely have to.
If you receive an email with a QR code, the first thing you should do is verify the validity of the sender. For example, if you receive an email with a QR code that purports to be from Company X but you look at the sender's email and it's from Gmail or some random (unknown) domain, chances are pretty good that's a quishing attack.
Also: What is Facebook Protect? Here's why you may be forced to turn it on
My best advice is that any QR code in an email should never be scanned. Legitimate companies will always send instructions on doing whatever it is you need to do. And most companies are certainly not going to send a QR code so you can verify your account. As for the random QR codes you encounter in the world? Just don't. If you allow your curiosity to get the best of you, you might not enjoy the consequences.
Just like SMS messages from unknown sources, those QR codes could be hiding dangerous intent. So, unless you are 100% certain of the source of a QR code, never scan it with your phone.