'Quishing' Scams Are on the Rise and Can Drain Your Bank Account in Seconds The Financial Times reports on a scam that uses an alarmingly simple tactic to access your data — and your money.
By David James Edited by Mark Klekas
The Financial Times reports on a dire warning issued by world banks and the U.S. Federal Trade Commission: QR scams are on the rise and stealing millions.
Related: Bank Warns AI Voice Cloning Scams Are Out of Control
Known as "quishing," the scam involves criminals sending fraudulent emails with PDF attachments containing QR codes. Or placing a fraudulent QR code sticker over a legitimate sign used to pay for parking, for example.
When the fake QR code is scanned, it brings people to a criminal's website where the unwitting users enter financial information or unknowingly download malware. Adding insult to injury, notes Steph Harrison, a senior fraud operations manager at TSB, besides having your money stolen, "you could also get fined for not actually having a parking ticket."
Amir Sadon, director of research at cyber security consultancy Sygnia, explains that the scams work so well because they take advantage of QR codes' design — they're made to be readable by smartphone cameras, not the human eye. "These attacks take advantage of the fact that QR codes, by nature, are difficult to interpret visually, so victims often don't know where they are being directed to until it's too late," he told FT.
And in the form of emailed PDFs, the tactic is effective because it allows these messages to slide past cyber security filters designed to intercept malicious links. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos, told FT.
So what can you do to protect yourself? Here are some best practices:
- Look before your scan. You may not be able to spot a malicious QR code's design, but you can take an extra second before you scan one at a parking lot or on a menu to make sure it's not a sticker placed over a legit code.
- After you scan a QR code, examine the URL before clicking through. Look for tell-tale signs of fraud like misspellings or a random switched letters on a legit company name.
- Don't scan QR codes in texts, emails or attachments. If you were not expecting the message, do not engage.
- Keep your devices updated. Regular system security updates are a strong tool in blocking bad actors.
Related: 3 Common Online Habits Are Putting Your Personal Information at Risk, New Research Reveals
