Quishing: The New QR Phishing Threat
Key Points
- QR codes are everywhere because they’re convenient, but scanning them can unknowingly direct you to malicious sites that install malware or steal credentials.
- “Quishing” is the term for QR‑code phishing, extending the phishing family (phishing, spear‑phishing, whaling, smishing, vishing) to the QR medium.
- Malicious QR codes can lead to fake login pages, credit‑card harvesting, or drive‑by malware infections simply by visiting the linked URL.
- The core risk stems from the loss of transparency: users see a simple code but have no visibility into the destination URL before scanning.
- Protect yourself by verifying QR destinations, using security‑aware scanning apps, and treating QR links with the same caution you would an email or SMS phishing attempt.
Sections
- The Hidden Dangers of QR Codes - The speaker warns that QR codes, though convenient, can be weaponized in phishing attacks (quishing) that redirect users to malicious sites, and explains how to protect against them.
- Safe Practices for Scanning QR Codes - The passage explains why generic warnings like “don’t scan QR codes from strangers” are insufficient and outlines practical defenses—questioning the necessity, manually entering known URLs, disabling automatic execution, and previewing the link before opening it.
- Secure Practices After Scanning QR Codes - The speaker emphasizes updating software, using multi‑factor authentication or passkeys, installing mobile security apps, and refraining from entering sensitive information on unknown sites to defend against threats introduced via malicious QR codes.
Full Transcript
# Quishing: The New QR Phishing Threat **Source:** [https://www.youtube.com/watch?v=RVF6NVnJvd8](https://www.youtube.com/watch?v=RVF6NVnJvd8) **Duration:** 00:08:30 ## Summary - QR codes are everywhere because they’re convenient, but scanning them can unknowingly direct you to malicious sites that install malware or steal credentials. - “Quishing” is the term for QR‑code phishing, extending the phishing family (phishing, spear‑phishing, whaling, smishing, vishing) to the QR medium. - Malicious QR codes can lead to fake login pages, credit‑card harvesting, or drive‑by malware infections simply by visiting the linked URL. - The core risk stems from the loss of transparency: users see a simple code but have no visibility into the destination URL before scanning. - Protect yourself by verifying QR destinations, using security‑aware scanning apps, and treating QR links with the same caution you would an email or SMS phishing attempt. ## Sections - [00:00:00](https://www.youtube.com/watch?v=RVF6NVnJvd8&t=0s) **The Hidden Dangers of QR Codes** - The speaker warns that QR codes, though convenient, can be weaponized in phishing attacks (quishing) that redirect users to malicious sites, and explains how to protect against them. - [00:03:07](https://www.youtube.com/watch?v=RVF6NVnJvd8&t=187s) **Safe Practices for Scanning QR Codes** - The passage explains why generic warnings like “don’t scan QR codes from strangers” are insufficient and outlines practical defenses—questioning the necessity, manually entering known URLs, disabling automatic execution, and previewing the link before opening it. - [00:06:10](https://www.youtube.com/watch?v=RVF6NVnJvd8&t=370s) **Secure Practices After Scanning QR Codes** - The speaker emphasizes updating software, using multi‑factor authentication or passkeys, installing mobile security apps, and refraining from entering sensitive information on unknown sites to defend against threats introduced via malicious QR codes. ## Full Transcript
Have you ever seen these things before?
It would be hard not to since they're popping up literally everywhere.
Scan this code on your phone to place your order or pay for parking, order room service in your hotel, this kind of stuff.
We see these proliferating because they're so much more convenient than typing in a long website address.
Harmless enough, right?
I mean, they wouldn't be putting them in businesses everywhere if they weren't safe, right.
These things are called quick response codes, QR codes for short, and unless you have a QR code interpreter in your brain,
and if you do, we need to talk, you have no idea where this is gonna actually take you.
For instance, this menu actually takes you to a completely different site.
In this case, it's harmless, but it could have taken you to a place where a hacker site installs malware on your system.
This one could have taken you to a fake login page.
That harvested your login credentials
and this one could have siphoned off your credit card number and given it to a thief.
What I'm talking about is a type of QR code phishing attack known as quishing.
Let's take a look at how these codes can be abused and what you can do to protect yourself.
First, let's talk about what these things are.
QR codes are two-dimensional barcodes that can store information like text, contact details, or a URL.
Mostly they are used as easier ways to direct you to a website.
Instead of having to type in this,
you can just scan an image on your phone and you're just a click away from a journey to parts unknown.
Usually these are harmless, except when they aren't.
The problem is that while we gain simplicity, we lose transparency.
The bad guys know that and take advantage of this to obfuscate their attack.
So now you can add a new term to the phishing vocabulary.
We already had garden variety phishing.
In that case, an attacker sends an email pretending to be from some organization that they aren't
to convince you to click on a link that you shouldn't click on.
There's also spear phishing,
which is a more targeted version that leverages information about your organization to make the attack more believable.
Then there's whaling, which goes after the big targets, the big fish.
The chief executive officer, the CXOs and those types of folks.
Then there is smishing, where we use phishing, but we're delivering it via an SMS message.
Then of course, there's vishing, where we do the same thing, but through voice messaging.
And now we have, of course QR code version of this, which is quishing.
Quishing is phishing via QR codes
because of course someone's going to take advantage of this means of communication as well.
What you might not realize though is that just by visiting a malicious website,
you can unknowingly end up infecting your device with malware.
That malware could steal sensitive information like your passwords, credit card numbers and the like.
So you need to be careful.
So how can you protect yourself from malicious QR codes?
Let's take a look at what works and what doesn't.
So that you can keep yourself from being a victim.
First off, here's some advice you may get that mostly doesn't work.
Don't scan QR codes received from strangers.
Well, it sounds like a good idea, but this isn't likely to work because most QR codes you see will in fact be from strangers,
or at the very least from sources you can't verify,
like the desk in your hotel room, a sign in a parking lot, or a letter you got in the mail.
Even if it was sent to you from someone that you know,
it still doesn't mean that they actually know what it will do either
and it could have come from their ID but not actually from them if someone took over their system.
Okay, so let's talk about what actually could work and the first one i'm going to tell you you need to think.
Think about what you're doing think about do i really need to do this or not?
Is this just something that popped up on the screen and I'm clicking on or do I really need this?
And if so, is there a safer way to do it?
In other words, might I, if I already know what the website address is, just go ahead and type it in, or use a bookmark.
Next thing, disable.
Disable what?
Well, disable automatic execution of commands or URLs from whatever you're using to scan these with.
So that you can look at the thing first, which leads to my next bit of advice, look before you leap.
You can preview the URL and see if it looks right.
So many QR code scanner apps will, or your camera on your smartphone, will show you the URL before it actually opens.
And then you get to click on it and decide.
Carefully check the link that shows up there.
Look for typos, look for strange domain names or suspicious characters.
Anything that looks a little bit out of place.
Also here's another one most people don't consider, and that is, look for tampering.
What do I mean by that?
Well, someone could have taken a sticker of a QR code and put that over a legitimate QR code.
And if you don't notice that, in fact, they've laid this sticker on top,
you scan now the fake one, even though it's in what would be a legitimate site.
You could also use a trusted scanner app, and these exist,
that are designed to look for known malware and phishing sites.
And they will not direct you to those.
They'll just block you if one of those things comes up.
You want to avoid scanning QR codes from unknown sources when you can.
But as I said, a lot of them are gonna be unknown.
So don't scan QR codes from sketchy flyers that you see maybe posted on a bulletin board
or just something that comes in the mail to you that you don't know anything about.
Stickers that are on walls or random handouts.
That kind of stuff is really just not worth the risk.
Then, as I often tell you, make sure your systems are patched.
That is, update all the software.
You need to be updated because new software releases often address vulnerabilities that malware might exploit.
After scanning a malicious QR code,
you wanna know your system is going to be able to stand up to whatever attack there might be out there.
Next up, consider using Some other things to protect your credentials.
I mentioned that these things might be trying to steal credentials,
so every time you get a chance set up multi-factor authentication and another one that I'm a big fan of Passkeys,
use these things on your IDs Then if the QR code is trying to steel your account by stealing your password
It won't be able to steal your password because you have a pass key.
They are different It won' t be able steal your pass word because a password alone multi-factor.
Will not allow them to get in.
They'll have to also have your face or your phone in their possession.
Consider using a trusted mobile security app.
These things exist also.
So there will be apps that go out and look on your phone
to make sure that you don't have malware on them and would prevent infection.
And ultimately, don't enter sensitive information on these systems in the first place.
So, if it's going to a webpage
that you've arrived at with scanning a QR code, think really twice,
three times about whether that's something I really wanna put into what was a random site
and might not have taken me to where I'm gonna be.
What's the value of the information I'm about to enter and what kind of security protections do I have in place?
And if you're a business or an organization,
you really wanna educate your users, train them so that they know what this real risk is.
This is essentially a social engineering attack
where they're trying to rely on your trust and exploit your trust, and take advantage of your trust.
They put up a QR code, you trusted it, and you went there,
vut you wanna make sure that people understand that trust can be abused, and you want to eliminate that from happening.
So, if you do all of this, well, here comes a dad joke.
You'll squish the quishers.