"Verifying QR Codes Before Scanning: The Quishing Way"
Warning Issued Over Rise in 'Quishing' Scams
In a recent advisory, the Consumer Advice Centre Brandenburg (VZB) has alerted the public to a rising threat known as "quishing" scams. This form of phishing attack uses malicious QR codes to trick users into scanning them, leading them to fake websites designed to steal personal information or install malware.
The surge in quishing attacks, which saw a 400% increase in cyberattacks using QR codes and millions of users being redirected to scams in 2024-2025, highlights the importance of taking precautions to stay safe.
To identify and avoid quishing scams, follow these key recommendations:
- Verify the source before scanning: Only scan QR codes from trusted sources. Suspicious or unexpected codes, especially in public places (e.g., parking meters, packages, or flyers), should be avoided.
- Look for signs of tampering: Physical alterations such as stickers placed over legitimate QR codes, damaged, partially covered, or low-quality codes can indicate fraud.
- Question urgency or pressure messages: If the QR code is accompanied by pressuring text like "Scan immediately to avoid fees," treat this as a red flag.
- Use a QR code scanner with security features: Some apps preview the link before opening it, allowing you to inspect the URL for legitimacy.
- Be cautious with QR codes in unusual contexts: QR codes in places where you wouldn’t expect them (e.g., random surfaces, unsolicited mails, or e-mails) should raise suspicion.
- Keep your device security up-to-date: Ensure your phone's operating system and security apps are current to help detect and block malicious sites or malware.
If the scanned link can be compared with the original address, it can help verify the QR code's authenticity. Money should typically be transferred without a confirmation; an extra payment confirmation is unusual.
The VZB also advises that generally, payment methods offered on platforms should be used, and handling payments outside the platform should be a cause for alarm. In a case involving a seller on a platform for used clothing, the seller fell victim to a quishing scam when the supposed buyer sent a QR code that was actually a link to a fake PayPal page.
To extra protect login details, VZB recommends setting up two-factor authentication (2FA) on PayPal for both payments and login. Anyone who enters their login details on a fake website created by quishing risks their credentials and account.
In light of the growing threat, it is essential to practice these precautions to ensure a safe and secure online experience. Always confirm the legitimacy of a QR code source visually or contextually, avoid scanning suspicious codes, and use security features on your scanning apps and device to help stay safe from quishing scams.
- Despite the increasing danger of 'quishing' scams, maintaining strong cybersecurity practices can help protect your personal-finance and technology from these attacks.
- To enhance the security of your financial transactions, consider enabling two-factor authentication (2FA) on your banking and payment platforms like PayPal, as an additional layer of protection against 'quishing' scams.
