The QR code scam and quishing: Be careful what you scan!

The QR code scam is used to attack cell phones, spy on companies, commit fraud and obtain access credentials to applications and platforms

A British citizen scanned a QR code to pay for parking at a train station managed by the TransPennine Express railway company. However, she was caught up in a £13,000 fraud. This example, from late 2023, makes visible a threat on the rise: the QR code scam.

Using this new attack technique, criminals impersonate legitimate businesses such as parking companies, restaurants or public institutions, create fake QR codes, trick their victims into scanning them with their cell phones and manage to:

1. Download malware on the device to spy on the user or access applications such as banking apps.
2. Redirect the victim to a fake website requesting valuable information such as name, surname, phone number, email address or bank details. From there, they can make illegitimate charges, impersonate their identity to commit financial fraud or sell their data to carry out other attacks.

Why is the QR code scam so dangerous? What is quishing, a new variant of phishing? How can these scams be avoided? We answer these questions below.

1. Covid and the spread of QR codes

QR codes have existed for decades, but their presence has become ubiquitous, especially since the COVID-19 pandemic. The need to avoid physical contact to fight the spread of the virus led to analog procedures, such as consulting a restaurant menu, being digitized through the use of QR codes and a device that accompanies us everywhere: our smartphone.

Although the pandemic has ended, many restaurants and bars use QR codes instead of physical menus. Moreover, QR codes proliferate in public spaces such as train stations, airports, bus stops, hospitals and administrative buildings. They are also in all kinds of stores and even on urban billboards.

Why do they do this? They facilitate the downloading of mobile apps by redirecting users directly to the application in Google Play or the Apple Store, speeding up website consultation and PDF downloads.

As has been the case since the dawn of digitalization, criminals have taken note of the proliferation of QRs to exploit it to their advantage. As a result, the QR code scam has become a threat to be considered by companies and the general public.

2. The QR code scam: Public spaces pose a risk

Should we stop scanning restaurant menus to avoid the QR code scam? According to the UK’s National Cyber Security Centre (NSSC), QR code scams are very rare in bars, pubs and restaurants because owners are quick to spot them and because it is more difficult to replace legitimate codes with fraudulent ones.

However, it can seriously threaten public spaces such as train stations, bus stops, parking meters, parking lots or public bicycle service stations such as Madrid’s BiciMAD. Why?

1. It is more feasible to carry out code substitution without anyone noticing.
2. If the QR code scam is technically well-designed, it can impersonate transport companies and public administrations without the victim noticing.
3. The number of potential victims is remarkable. Consider, for example, a QR code scam that impersonates an application used to pay the blue zone in dozens of cities.
4. People scanning QRs in these spaces are generally in a hurry and want the mobile app or access to the web platform. They need to pay for a parking space as soon as possible. This urgency causes them not to pay attention to the small details that may be evidence of deception.
5. In addition, the victims may be professionals on the move during their working day and use a company phone to scan a QR. This means criminals could deploy ransomware or an infostealer on a corporate device and obtain valuable business data and information for extortion and fraud.

3. Quishing: phishing is like energy: it just transforms

The QR code scam has hybridized with one of the world’s most widely used malicious techniques: phishing. The result of this fusion is a new attack variant known as quishing. What is it?

1. Criminals send fake emails to their victims, asking them to scan QR codes instead of clicking on a link.
2. Victims scan the QR using their personal or professional cell phones. Then:
   • They land on an authentic-looking phishing page and are asked to enter login credentials for specific programs or platforms (business software, social networks, online banking accounts, etc.).
   • They arrive at a malicious page to download a program or document infected with malware.
   • A malware-infected PDF is automatically downloaded.
3. Criminals use the credentials to illegitimately access programs or deploy their malware to spy on their victims, steal critical data, and even access other critical mobile applications.
4. Sometimes, QR code scams and quishing are combined with other techniques, such as fake calls impersonating banking institutions, so the victim is not suspicious of illegitimate charges to his bank account. This was the modus operandi of the malicious actors in the first case discussed in this article.

4. Why is quishing a phishing variant on the rise?

1. Phishing is a technique that is already well-known to a large part of the population. That is why many people are reluctant to click on links that are too short or do not seem genuine. On the other hand, the QR does not, at first glance, show any suspicious signs.
2. There are numerous applications for creating QRs in seconds, so there is no added complication in preparing a social engineering campaign.
3. Mail managers have tools to detect emails from suspicious sources, but detecting the QR code scam is more complex.
4. Many professionals use their company cell phones or personal mobiles to scan malicious QR codes. So, if criminals use malware, they can infect a device that lacks the security measures of a corporate computer. This makes it easier for malware to spread and more difficult to stop it before criminals achieve their goals.

5. Tips to avoid becoming a victim of the QR code scam

How can people prevent quishing or falling victim to the QR code scam?

1. Be cautious and use common sense when scanning a QR code in a public space such as transportation stations or parking areas. This is especially true if you are using a mobile device that holds login credentials and business information.
2. Check that the QR code is not superimposed employing, for example, a sticker.
3. Pay attention to the URL to which the QR code is directed. It may indicate that it is not a legitimate link to the impersonated company or institution.
4. If you receive an email in your business inbox, it is not advisable to scan the QR code with either your company cell phone or your personal phone.
5. Act with caution when visiting a website to which a QR redirects. Before entering personal and financial data or downloading any document or program, it is essential to check that the link, the texts and the visual appearance are consistent.
6. In case the QR code scam is carried out in a professional context, it is essential to notify the company’s team in charge of managing security incidents.

6. The importance of strengthening cell phone security

Beyond the essential tips we have just listed, companies and administrations that use QR in public spaces must permanently control their codes to prevent them from being impersonated and their identity from being used to defraud customers and citizens. In this regard, cyber intelligence services are essential to detect digital fraud and combat piracy.

6.1. Cybersecurity services for successfully dealing with QR code scams

On the other hand, companies must incorporate QR code scamming and quishing into their threat landscape and improve their resilience against them by resorting to cybersecurity services:

• Social engineering tests tailored to quishing casuistry to analyze whether an organization’s professionals are prepared to avoid falling victim to these scams and improve their training.
• Mobile application security audits to detect vulnerabilities that malicious actors can exploit if they manage to infect corporate cell phones.
• Vulnerability management is used to carry out continuous cybersecurity monitoring of the company, considering the risks associated with using cell phones and the possibility of a QR code scam against an organization professional.
• Proactive incident response allows one to understand the incident in seconds, identify the scope of the compromise and the permissions available to the malicious actors and orchestrate an effective response in the shortest possible time. Thanks to this service, if a company falls victim to a QR code scam or quishing, it can limit the success of the attack and expel the hostile actors before they cause severe damage to the company.

In short, QR code scamming and quishing are an evolution of phishing that takes advantage of the rise of QRs to attack a device that has become critical in our personal and, above all, professional and business lives: the smartphone.

It is essential to increase the level of protection of these devices while preventing social engineering attacks to prevent malicious actors from spying on an organization, committing financial fraud or gaining access credentials to vital applications.