Quishing: identity theft via QR codes is soaring : Internet Scambusters #1,102
Quishing is the newest and most difficult to spot version of phishing - tricking people into disclosing personal and confidential information.
The crime is rocketing, seriously worrying security experts because the crime, which uses fake Quick Response (QR) square barcodes, is often hard to detect.
But in this week's issue, we'll tell you exactly how to beat the crooks by using a secure scanning app and taking several other steps to protect yourself.
Let's get started…
Stop Before You Scan To Beat Quishing Scammers
Before you scan that square-shaped barcode of black squiggles we call QR codes… Stop! Or you could fall victim to one of the fastest-rising identity theft and malware scams: "Quishing."
Before the no-touch and contact-tracing days of the pandemic, most of us had never heard of these phishing attacks via Quick Response codes but now they're everywhere. On menus, parking meters, doorways, tourist attractions, advertisements, shopping mall posters, package delivery notifications, emails, and texts - and your computer screen. And it's easy to see why.
In simple terms, QR codes work by scanning them onto a mobile device, which then takes the user to a website for further interaction. Sometimes, they're used as a second security check when you're trying to sign on.
Simple enough. But what if it's not the website you thought you were going to? Would you notice if everything does or doesn't look right? Or how about if, instead of taking you anywhere, scanning the code quickly downloads malware onto your device, installs tracking software, or even steals data without you noticing.
That's exactly what's happening on a frightening scale. For example, one security firm, Perception Point, reported a massive 423% rise in the crime between August and September last year. At the same time, the proportion of quishing among what the firm calls "malicious incidents" rocketed from 0.4% to 8.8% in the same period.
Perception Point also reported that by last September, almost 10% of all QR codes scammed were malicious. We're talking hundreds of thousands here.
Why Quishing Works
In a recent blog, security experts at Keepnet Labs noted: "The inherent danger with quishing is that, unlike traditional URLs, QR codes cannot be 'read' or 'previewed' by the human eye. This obscurity provides an added layer of deception, making it easier for attackers to trick individuals into scanning malicious codes…
"This inability of the human eye to 'read' QR codes means that we place implicit trust in them, often scanning without a second thought."
The really bad news is that the US is the top user of QR codes, accounting for three-fourths of all global scans, or around 40 million a year. And we create an estimated 300,000 new code boxes a year.
That also makes us the top target for quishing scammers, with much of the growth down to their use in emails viewed on desktop computers with a request for you to scan them onto your mobile.
And one of the reasons for their success is that people tend to trust them without question. The codes are also easy to generate. Plus, of course, there's no easy way to tell the good guys from the bad; they all look very similar.
In fact, a major concern is that they have the potential to evade some security software, precisely because they look so "normal." The malicious element is hidden in those tiny black dots and squares.
7 Ways To Play Safe and Beat Quishing
Though the crime is now significantly worse than a few years ago, we covered QR code scams in our issue #542: 5 Ways to Avoid a QR Code Scam. The tips we gave then still stand but here are a few more ways to keep you safe from quishing.
- Use a secure scanning app instead of your device camera. These check if you're actually heading for the right site before you even go there. But do your research to confirm the app itself has the right security features.
- Always check the URL of any website in your browser website to be sure you're at the right place. Beware of codes that use address shorteners, which conceal the actual website you're going to until the last moment.
- Use up to date security software that will likely warn you if you made a dangerous move.
- If it's a physical QR code, check to see if it's on a sticker that might have been placed on top of a genuine one. This is a common trick at parking sites. If you scan one, not only will your identity be at risk but you also, unknowingly, won't be paying for parking and could get fined!
- Beware if you're urged to act quickly, provide personal information as a result of a scan, if the code has no accompanying text, or if it appears in a poorly designed text format.
- Don't be easily taken in by emails and texts that appear to come from a reputable organization, perhaps one you already have a relationship with. In fact, Microsoft is the most commonly used name in email quishing attacks, followed by banks.
- Use two-factor or multi-factor authentication for signing on whenever possible. Then, even if your info is compromised, crooks still won't be able to access your accounts.
Quishing has been described as the new frontier for phishing scams. Using our tips and trusted scanning tools should help you steer clear of the crooks.
This Week's Alerts
No parking: Fake mobile parking apps are popping up at the top of online searches. Genuine apps, some for particular localities and others operating nationwide, allow users to pay their parking charges via the web instead of using cards or cash at parking lots and meters. But scammers have created imitation websites. After someone signs up, they provide all their card details, which are then used for identity theft and other crimes. It's unwise to click on links just because they appear at the top of a search. Thoroughly check out anyone you're thinking of signing up with.
Safety for kids: The US Federal Trade Commission (FTC) is seeking public ideas and comments about its plan to tighten up protections for young Internet users. The submissions deadline is March 11.
Jury scam surge: US courts have issued a new warning of a surge in the longstanding jury duty scam. Victims receive phone calls from imposters claiming to be from local courts or law enforcement saying they failed to turn up for jury service and must pay a fine, usually of several hundred dollars. They demand payment via gifts cards or cash wiring services because these usually cannot be traced. But that's all you need to know that it's a con trick because police and courts never ask for payment by these methods.
Time to conclude for today -- have a great week!