Justin Moore, Cody Eckhoff – September 16, 2024

In today’s world, convenience is what drives most of our technological advancements. We are constantly pursuing new ways to make human life easier. A prime example of this comes in the form of QR Codes. While not inherently bad, QR Codes allows simplicity of being directed to websites, payment methods, informational flyers, and transmitting data in a seamless way. With this convenience, threat actors (bad people) are also becoming more sophisticated, taking advantage of human behavior in the form of Quishing.

What is Quishing? 

How can something with the name “quishing” be harmful? Well, quishing is a form of phishing, a cybersecurity attack where the goal is to deceive and manipulate a person into giving away their personal information. Now that you are aware of the dangers, let us ask ourselves a few questions.

What social engineering tactics are at play? Am I being targeted? 

Threat actors are becoming increasingly sophisticated in their tactics. They study and act on human behaviors, while casting a wide net, targeting those who are too trusting. Are you being rushed or pressured into scanning the QR code? Creating a sense of urgency plays on human emotion. It creates a situation where a person must quickly decide or face consequences. Is your curiosity being exploited? Did you stumble upon a QR code while walking on campus, while it is tempting to find out where it leads, forget that curiosity, haven’t you heard the saying about that cat? Does the offer seem too good to be true? In most instances, it is. In any case, taking your time to research, or ask someone can keep you out of trouble.

Who put this code here? Where does it take me?

QR codes can appear in your inbox or on websites unexpectedly. In such cases, it is better to navigate to the website manually instead of risking a malicious redirect through a QR code. QR codes in public spaces can be especially tricky. Genuine QR codes may be covered with malicious ones that direct you to harmful websites. These sites serve different objectives. For example, you come across a QR code in an email, or while walking. After scanning you are redirected to another site where it asks for your name, email address, login credentials, payment methods, or even asks to download malicious files.  It is much safer to go directly to the official website to rather than scanning the code. It is unlikely that a QR code will offer benefits not available on the actual site. Let us take a close look at the website it directed you to. Does the URL look suspicious or random? Look for signs of security, such as “HTTPS” (note the ‘S’ for secure) and the lock symbol in your browser. HTTPS provides secure communication between your browser and webserver (The computer that hosts your website). Being diligent in what you do goes a long way, while HTTPS is much more secure than HTTP, it does not necessarily mean the website is safe. The “S” indicates that COMMUNICATION between your browser and the webserver is encrypted, meaning any data sent between the browser and the webserver is translated from plaintext (human readable characters) into ciphertext (unreadable characters). Paying attention to these few details can help prevent your system from being compromised.

TLDR (Too Long Didn’t Read) 

Quishing or QR phishing is a cybersecurity attack that deceives people into sharing personal information or redirecting to malicious sites. Threat actors (bad people) use social engineering tactics that cause urgency or exploit curiosity to trick people into scanning them. It is important to maintain a healthy level of skepticism, and always question who placed the code, what it leads to, and why. Spend the extra time going to the actual site, instead of scanning. Check URLs for the HTTPS to help ensure the site is secure, though HTTPS does not guarantee a site is legitimate.