Security concerns with QR codes
Many applications using QR codes do not specifically display the URL of the target action, especially while using payment gateways. When attempting to open sites, it would usually display the hyperlink, but hackers and cyber-criminals use URL shorteners to hide the final link. Moreover, the URL displayed upon scanning a QR code by a mobile device might not be displayed completely on the mobile browser.
What are QRishing scams?
QRishing translates into Phishing with the involvement of QR codes. Security concerns about QRishing were raised first years ago but were not as much of a problem as they are now. As QRishing attacks start becoming common, research by Carnegie Mellon University, the first of its kind, titled The Susceptibility of Smartphone Users to QR Code Phishing Attacks has been conducted to find the extent of the problem and possible vulnerabilities. Just like Phishing attacks through emails, curiosity is what cybercriminals use for making users scan malicious QR codes. Email phishing has been a known security concern for quite some time, because of which all major web servers have developed measures to counter it. The same doesn’t seem to be true with QRishing which is less known, less investigated and almost totally unstoppable. To add on to this, mobile browsers, whether iPhones, or Android phones, do not employ the same safe browsing techniques that desktop browsers are, like comparing URLs to a blacklist, or actions like ‘click one more button’, etc.
How is QRishing done and with what purpose?
QRishing uses socially engineered bait to make potential victims scan the code. The following methods have been used for the same: The purpose of such attacks could range from stealing personal information to clickbait to monetary fraud. In a known case of QRishing, a college student redirected a QR code to his Twitter account only to get more views on it. He shortened the URL so it could not be recognized. A very dangerous thing cybercriminals do is change the QR codes on payment gateways, which are scanned to make payments. By the time the details of the recipient are disclosed, the payment is already made. While most of us are aware of email phishing and would think twice before sharing our credentials on a suspicious page, we receive through email, the same is not true with QR codes. If a user is directed to a QRishing page asking for his/her credentials, the user might not be able to suspect the scam and give away the credentials.
How to protect yourself from QRishing scams
Some basic steps you should take: The real reason behind QRishing being such a serious concern is that we, the people, are not prepared for it. Since it is a new term, little research has been done to counter it. While enough awareness has been spread about email phishing, people still tend to trust QR codes.