From the local sabzi mandi (vegetable market) and pamphlets to restaurants and malls; QR codes are everywhere. You now make payments, get to the restaurant menu, visit websites, and get information by just scanning those chequered squares. Convenient, yes. But can that convenience come at a cost? Also yes.
Scammers are increasingly using malicious QR codes to siphon users off their money, personal information, and even identity. It’s called QR code phishing, or simply, quishing. Reports suggest that very recently, scammers used QR codes to get donations in the name of the Ram Temple in Ayodhya.
So what is quishing, and how does it work?
To put it simply, in quishing, fraudsters use fake QR codes to lead people to fake websites to steal money, identity, and personal data.
What happens is that scammers use online tools to create fake QR codes. They use different tactics to lure you to scan it. A commonly used one is the tactic of urgency. For example, offering limited-time deals or expiring offers creates a sense of urgency. Once a
user scans through it, multiple things can happen.
The QR code can take you to a legitimate-looking fake website, such as that of an e-commerce company. It can then trick you into providing sensitive information. It can also take you to a fake login portal, a rip-off of your bank’s website. Unable to tell real from fake, you enter your login credentials, handing over sensitive information to the scammers. Not only that, the QR codes can also contain malware, ransomware, or Trojans. So scanning codes can lead to automatic download of these into the victim’s device.
Also, at times, quishing can involve compromising social media profiles, enabling sending of unsolicited emails and texts.
The scammers are smart enough to install the malicious QR codes on legitimate surfaces like pamphlets, or posters, and packaging of known companies. However, it isn’t restricted to the physical space and can be carried out through digital tools, too, such as emails, ads, and social media posts.
How to avoid it?
Money lost to quishing is difficult to retrieve as it is often passed through several wallets and bank accounts. Hence, scammers leave little trace of their crime. Personal data and sensitive information lost are equally menacing.
With just a little caution, you can save yourself much trouble. Here is what you should keep in mind:
- First and foremost, avoid scanning QR codes sent by unfamiliar sources. For example, those spotted on social media platforms
- Avoid scanning QR codes placed at suspicious places. If you still wish to go ahead, verify the legitimacy based on the companies or institutions involved. Just a mere check on whether the firm even uses QR codes can do you good. Also, connecting with the company directly can be massively beneficial in such a scenario
- It’s always better to steer clear of deals that appear too good to be true
- Use your phone’s built-in scanner or download one that has security features. These can detect malicious links and even come with a preview feature allowing you to know where you are being led to
- Once you scan, don’t click on any unfamiliar link. It can even include a shortened URL but don’t click until you are absolutely sure. You must also look for the HTTPS protocol for secure sites
- Another trick is to carefully examine the URL for any misspellings, poor images, or language use. If it checks either or all these boxes, it is better to avoid going further
- In any case, don’t provide any sensitive information, such as bank account details. In case the website asks for such, exit immediately
- Preview before making any payment
Just by taking these precautions, you can steer clear of the malicious codes.
