Qishing – What Is It and Why You Should Care
You heard it first here folks - a global exclusive. Seriously!
QR codes have been around for a while now, however, thanks to a stroke of marketing genius in this year’s Superbowl, QR codes are about to hit a brand-new level of intensity. Marketers across the globe will be looking to jump on the bandwagon like never before. Simultaneously, cybercriminals will also be looking at ways they can use QR codes to their advantage.
What Is a QR Code Anyway?
QR = Quick Response and the code related to a multidimensional barcode which was invented in 1994 by the Japanese automotive company Denso Wave.
QR codes are a square comprised of other black and white squares of varying sizes that can be read by your mobile devices’ camera or dedicated QR code reader apps.
QR codes can hold a lot of data and have been used across multiple sectors over the years. Advertising and marketing are popular uses (such as the Coinbase Superbowl ad or electronic billboards in Times Square or on a flyer at a local book fair), COVID-19 check-ins across the globe, real estate listings, logging into websites, joining a Wi-Fi network, linking to a fillable form, ordering at a café and so much more.
Back to the Introduction of the New Member of the Ishing Family
I would like to formally introduce you to Qishing. Before we get into the nitty gritty of this little square of squares, let’s do some history.
When email was born (1965 or 1971 depending on where you do your research), we were unprepared for the birth of the first member of the Ishing family. You may know of phishing, which has grown up into a sophisticated malicious creature. Cybercriminals the world over have benefited by its ability to lure unsuspecting people into clicking on a malicious links, opening an attachment with a malicious payload, deploying ransomware, tricking us into handing over our precious login details or personal information. Phishing was indeed the first of its breed in this fascinating family and it is not going anywhere.
Not to be outdone by its pesky email cousin, a new entry appeared in 2006 when a new breed of dangerous text messages (SMS – Short Message Service) were coined smishing. Smishing is indeed the SMS version of phishing (so original, I know) where cybercriminals use SMSs which may include messaged designed to entice us to click on a malicious link, downloading malicious software onto our mobile device.
The third member to be welcomed into the Ishing family is vishing. Some of you are now thinking ‘hmmm, could it be v for video?’ No, it is v for voice. You guessed it; vishing is the voice version of phishing. Vishing is like a two-faced character with one being a recorded message and the other a real person on the other end of the phone. As with the other Ishing members, the intent is to trick or manipulate an unsuspecting person into handing over personally identifiable information or money.
With the history lesson over, let’s welcome qishing into the fold. Yes, qishing is the QR code version of phishing and has been in the family for a few years. For example, qishing has been used at parking meters where unsuspecting people scan the QR code thinking they are selecting a quick payment option, yet they are inadvertently sharing their payment details with a cybercriminal. Qishing could also be used to take someone to dangerous websites where malicious executable data can be hidden in a URL and so much more.
Tips To Avoid Qishing
Before you scan, stop and think. If there is any doubt related to the authenticity of the QR code, use a secure scanner app which scans the code first to check that it is in fact safe (Kaspersky, Quick Scan offer such an app as do other security companies).
Ignore QR codes on junk mail, placed on random posters or embedded in emails. In fact, I would not be scanning any QR code unless it goes through a secure QR code scanner app first.
Written February 15th 2022