A family of four on a long-awaited, cross-country trip pulls into a metered parking space to grab a quick bite. Like many meters these days, it doesn’t take coins; it’s paid through a QR (Quick Read) on a smart phone. The wife pulls out her device and scans the code to pay for an hour. After enjoying the meal, the husband pulls out his debit card to pay and it’s declined. It’s got to be a mistake, he says. The clerk scans it for a second time and again it’s declined. The husband calls the phone number on the back of the card and a moment later let’s out a panic-stricken scream. The person on the other end of the phone told him that his account had just been cleaned out.
Across town, a couple receives a package on their front porch. The husband and wife talk and neither can remember ordering anything. They notice, though, that there is a QR code on the top of the box; certainly, scanning it will help them track down the sender or maybe provide some insight into who it should go to. Like the family above, they won’t make that mistake again.
And finally, an employee sitting at his desk goes to his email and sees a message from his bank. He clicks on it and scrolls down to a QR code, which he scans with his phone. One more life-changing decision.
All of these users fell victim to quishing, a combination of QR codes and phishing. Research shows that this is one of the fastest growing forms of scamming.
How QR Code Scams Work
One of the methods employed by cybercriminals is hiding harmful links in QR codes. Or they replace a legitimate QR code with a malicious one. The users’ personal information will be stripped or harvested by these nefarious sites.
And the problem is that users will not discover they have been scammed until it’s too late.
For the situation with the emailed QR code, employees should first be trained on the dangers of phishing or quishing. They should be instructed to not click on links or attachments of any kind from senders they don’t know or were not expecting an email from. Users should go through a company’s portal or website to gain access or reach out to the sender to confirm the message is legitimate.
The next step for the organization is to utilize the knowledge and tools of IT experts to fend off these attacks. An example of such a solution is the Check Point Harmony & Email Collaboration (HEC) used by FTC IT Solutions. HEC, which recognizes QR codes as malicious and neutralizes them before delivery, provides a layer of high-level protection. Business operators in need of their expertise should connect with FTC IT Solutions by calling 888-218-5050.
For customers like the family at the parking meter or the couple with the porch delivery, the FTC team is working with developers to determine the best solution to protect not only users like them from cybercriminals but all of its wireless customers.
Vigilance is the key for now. Unknown QR codes should never be scanned.
Stay tuned!
