QCOSTARICA – Do you scan every QR code you see? This clever phishing scam might make you think twice due to QRishing, a form of phishing attack where hackers exploit QR codes to steal private information, install malicious software on a device, or direct a person to an unsafe website.
QRishing is one of the fraud modalities taking advantage of soccer fans in the framework of the World Cup in Qatar 2022.
This form of attack consists of implanting false codes and when the user scans it, they are directed to an illusory website that asks for their credentials; In this way, cyberattackers steal payment data, duplicate cards or supplant the identity of the victims.
“Cyber attacks are constantly evolving and there are more and more ways in which we receive fraudulent notifications, for this reason, it is important that people understand that no one is exempt from being a victim of QRishing or any other form of theft. It is essential to be informed of these trends to know how to proceed and not fall into cybercrime” said Joey Milgram, manager of Secure Solutions in Costa Rica.
So how do these attacks work? How can you avoid falling victim to a QRishing attack?
The website Makeuseof.com explains QRishing exploits the tendencies of phone users to scan QR codes out of curiosity, boredom, or necessity. For instance, the attacker may leave flyers at a bus stop or on tables at restaurants or coffee shops. When a person scans the QR code with their phone, thinking it’s an ad or menu, it displays a URL, an image, or a map with directions to a location, among other things.
From here on, scammers rely on social engineering (the act of manipulating people to steal private information from them) to trick victims into sharing sensitive information. Hackers may also exploit vulnerabilities like WebKit bugs in a browser to take over the victim’s device.
Of course, not everyone would scan a random QR code without an incentive or a caption explaining what they can expect to see. Or do they? So cybercriminals often find another way to get people interested.
How to Avoid QRishing
Scanning and reading a QR code mostly requires two things: a camera and a browser to follow the information in the QR code. As it’s so simple, that means it’s simple to avoid falling victim too.
- Block camera access on your phone
- Disable automatically opening links when scanning a QR code
- Keep your phone software updated
- Avoid sharing sensitive information online
- Think before you scan
- Do not trust spam emails
If the QR code leads to a page that asks for personal information, especially passwords or data related to payment methods, it is important to stop and think for a moment if the context requires it.
On the good side, QRishing is less common than other types of phishing because an attacker would need to invest some effort into distributing the malicious QR code.
However, this form of phishing is relatively new, and not many people know about it, which means people can easily fall for it. Cybercriminals who carry out these attacks have everything to gain and nothing to lose.