Cyber criminals keep finding new ways to attack. The latest method involves corrupting QR codes.
For the last few years, a QR code was a simple way to get people to connect to your website. People have gotten used to them by now. You might have seen a QR code in restaurants to bring up the menu, on mass transportation, commercials, signs and more. It was originally an easy way to jump to a particular webpage so people simply scanned it without concern. However, those days are over.
Currently criminals have been sending a QR code by email and if you “verify your account” or whatever false message is accompanying it, scanning the QR code could help attack your device or bring you to a webpage that will steal your information. Weaponizing QR codes is called Quishing. That is because it is related to Phishing. Phishing is a type of attack that tricks people into turning over sensitive information (such as a password) or installing malware. Phishing has been around for MANY years.
However if a criminal wants you to go to their false webpage, they can simply make up their own QR code and pretend it came from a trusted source.
What should you do?
Going forward, just like you should not click links in emails but instead go directly to the vendor website, you also should not scan any QR codes.
If there is a reason you really need to, first authenticate the sender. Don’t only look at the name but make sure the full email address is verified also. For example, Fedex ceo would have to come from name@fedex.com and not name@gmail.com.
However just like text messages from an unknown sender can hide dangerous intent, so could a QR code, so the best bet is not to scan them anymore.
