Privacy Peril: Phishing, Smishing, Vishing, and now . . . Quishing

November 5, 2021
Firm Publication

QR (Quick Response) codes, have become ubiquitous – they can be found on billboards, buses, email, snail mail, magazine pages, restaurant menus, company websites, business cards, church bulletins, stadium jumbotrons, and more. Any location where someone wants to convey information – especially advertisements and marketing material – may contain a QR code. In addition, retail businesses increasingly permit payment by scanning a prominently-placed QR code. While these codes serve a useful purpose by providing consumer information and promoting customer convenience, they do not come without risk.

 A good overview (though also a product advertisement) of the types of data contained in QR codes, the uses of QR codes, and the assortment of risks associated with QR code use, can be found here. This Privacy Peril focuses on their use as website directors, essentially website shortcuts. A QR code pattern allows a consumer to access a site quickly without typing in a long web address, especially since the camera on many of today’s cell phones will act as QR scanners. Once you have landed at the QR code-pointed website, all the typical methods of tricking you into disclosing confidential information may appear, just as they would had you followed a link in a phishing email (hence the term “quishing”).

It is unrealistic in today’s world to ignore or abandon the use of QR codes. There are, however, common sense steps to minimize your risk of being quished. On its website, the Better Business Bureau provides these tips to avoid QR scams:

  • If someone you know sends you a QR code, confirm before scanning it. Whether you receive a text message from a friend or a message on social media from your workmate, contact that person directly before you scan the QR code to make sure they haven’t been hacked.
  • Don’t open links from strangers. If you receive an unsolicited message from a stranger, don’t scan the QR code, even if they promise you exciting gifts or investment opportunities.
  • Verify the source. If a QR code appears to come from a reputable source, it’s wise to double check. If the correspondence appears to come from a government agency, call or visit their official website to confirm.
  • Be wary of short links. If a URL-shortened link appears when you scan a QR code, understand that you can’t know where the code is directing you. It could be hiding a malicious URL.
  • Watch out for advertising materials that have been tampered with. Some scammers attempt to mislead consumers by altering legitimate business ads by placing stickers on the QR code. Keep an eye out for signs of tampering.
  • Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned link before you open it. They can identify phishing scams, forced app downloads, and other dangerous links.

In short, “mobile users should only scan codes that come from a trusted sender.”

Remember:  A Quick Response and a Hasty Response are not synonymous.

Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact Bob Brewer, Tony McFarland, Elizabeth Warren or a member of our Privacy & Data Security team.