Do you know what vishing is? How about quishing? These types of fraud stem from technology trends that are giving fraudsters new ways to try to steal your personal information and scam you out of money.
The evolution of phishing: Fraudsters go multimedia
Phishing has evolved over the years, changing from poorly written email entreaties from supposed Nigerian princes needing help moving money, to highly convincing emails mimicking a business’s logos, branding and messaging.
Then there’s the phishing variants: smishing and vishing. In these cases, text messages and phone calls are used to the same effect: targets receive text messages or automated ‘robocalls’ that pretend to be from trusted sources like banks, government officials or even friends—again with some promise or threat designed to spur action. More often than not they call for an urgent action and imply serious consequences designed to cause panic and to invoke an immediate response playing on typical human feelings.
While this may all start to sound like an alphabet soup of cybersecurity threats, they do have a key thread in common. They reflect broader trends of how digital technologies have become a part of our daily lives. As digital technologies like email, SMS and auto-dialing software give us new, faster and more convenient ways to communicate and conduct business, an unfortunate side effect is that these technologies can also be exploited by fraudsters.
The next frontier: QR codes
A new front in the battle against digital fraud has opened up with the use of QR codes.
A QR code typically consists of a square shape containing a grid of pixel-like black and white dots. Those dots are used to encode data: that data could be a website address, contact details, a part number, Wi-Fi network credentials, or more.
In recent years, the use of QR codes has exploded. You see them everywhere now: in place of restaurant menus, on donation requests and within advertising materials. They’re used at the end of PowerPoint presentations to send you to more information, and on smart TVs to log you into your personal apps.
The reason for the QR code upsurge is that most smartphones today have camera apps that automatically detect and decode QR codes. It’s become a quick and convenient way to send someone to a website link for more information, to download an app, or to make a payment.
So what’s “quishing” and how does it work?
Quishing is the use of a QR code to direct someone to a false or malicious website.
While QR codes excel at convenience, they also offer a new opportunity for fraudsters. That’s because they provide fraudster’s a way to hide the URL they are sending you to. Just looking at a QR code won’t tell you if you’re going to a legitimate site or Joe Fraudster’s homemade scam site.
The use of quishing can be especially effective when the QR codes are put in credible places. In 2024, for example, CBC reported the discovery of fake QR code stickers being placed on a number of the City of Ottawa’s “pay and display” parking machines. The QR code led people to a fraudulent version of the PayByPhone website where victims were invited to ‘pay’ for their parking. (The incident prompted city officials to begin inspecting its parking machines for such stickers.)
In another incident reported to the RCMP, a person received a package of goods they had not ordered. Inside was a note with a QR code that, when scanned, led to a malicious website.
The number of quishing-specific fraud cases reported in Canada is still relatively minor. However, experts expect that as QR codes become increasingly prevalent, they will become a normal part of the fraudsters’ arsenal of tactics.
Types of QR Code Tampering
1. Overlay Attacks
- How it works: A malicious actor prints a fake QR code and physically places it over a legitimate one (e.g., on posters, menus, or payment terminals).
- Impact: Redirects users to phishing sites or malicious downloads.
2. QR Code Redirection
- How it works: The QR code links to a URL shortener (e.g., bit.ly), which is later changed to point to a malicious site.
- Impact: Bypasses initial security scans and redirects users to harmful content.
3. Embedded Malware Links
- How it works: The QR code encodes a URL that triggers a malware download or exploits a browser vulnerability.
- Impact: Compromises the user’s device upon scanning.
4. Credential Harvesting
- How it works: The QR code leads to a fake login page (e.g., Microsoft 365, banking, or Wi-Fi portals).
- Impact: Users unknowingly enter credentials, which are harvested by attackers.
5. Wi-Fi Configuration Spoofing
- How it works: QR codes can encode Wi-Fi credentials. A tampered code could connect a device to a rogue access point.
- Impact: Enables man-in-the-middle (MITM) attacks.
6. QR Code in Email Phishing
- How it works: Attackers embed QR codes in phishing emails to bypass email link scanning.
- Impact: Users scan the code and are taken to a phishing site on their mobile device.
What can you do?
Knowledge is power. The awareness of this type of fraud can help you get ahead of the curve and avoid falling victim to it. Sharing that awareness with family, friends and colleagues is also a good step to take.
As well, many of the things you would look for in other types of phishing and fraud hold true for quishing. For example, you should be wary of messages involving an urgent promise or threat, particularly when they are unsolicited, unusual or unexpected.
Most importantly, always check the link. In the case of QR codes, if you hover over the code with your camera without actually clicking, it will usually show you the link as a little popup within the image. If you do happen to click through, check the URL of the site you’ve arrive at—make sure it’s where you had expected to be taken.
Also, if you see a QR code in a public space like near a parking meter, on a poster or at a store, take a moment to inspect it. Does it look like it’s been tampered with or stuck on after the fact? If anything seems suspicious, act accordingly. In general, QR codes in public spaces should be treated with caution as they are fairly easy to modify by replacing them with malicious QR codes.