You sit down at a restaurant and scan the QR code for the menu. Next thing you know, you’ve been quished.
Quishing is a scam that starts with scanning a QR code and directing you to a website that looks and feels legitimate. Instead, you could be downloading malware to your phone, damaging your device. Quishing also allows criminals to steal your personal information, track your online activity to learn more about you, send email from your email account, or send text messages to your contacts.
Why Criminals Use QR Codes?
Anyone can create a QR code; the process is not regulated. Scammers use QR codes because, with one simple scan, they can get you to a malicious link. Using the link, they will try to trick you into providing valuable information like your banking or credit card credentials. The auto-page linking is especially concerning because it’s difficult to see in advance just where the QR code link will take you.
In some cases, scammers will encourage you to download software like QR code scanners. Never do this! If you do, you’re opening yourself up to malware. Since a phone’s camera can read QR codes, there’s no reason to download any type of scanning software.
So How do You Protect Yourself?
In the case of a restaurant QR code, don’t scan the code on your table. This original, publicly placed code could have been replaced with a fraudulent one. If you must view the restaurant’s menu from your phone, go to the restaurant website and read the menu there.
Other prime, public QR code locations to be wary of include:
- Gas pumps
- Parking meters
- Advertising signage
- Social media posts
- Boarding passes
- Real estate listing
- Business cards sitting or posted in a public place
To protect yourself, check for signs that the original QR code has been tampered with. When you use a QR code, preview the destination website before you click through. For example, does the preview show www.inb.com or www.ibn.com?? It’s easy to be tricked, so take a second or two to make sure you know where you’re headed!
QR Codes in Emails and Mail
A growing concern is receiving mail or email with a QR code. Even though a mailing may look legitimate, it could be a phishing letter or email. Scammers often use personal information logos, and even familiar addresses and phone numbers, to create communications.
If you receive an unsolicited letter or email with a QR code, don’t scan the code right away. Do your homework. Is the email coming from a legitimate source? Is the QR code directing me to a known business website?
Be especially cautious of an unsolicited letter or email pertaining to a bank. Call the bank’s phone number – found on their legitimate website – to confirm the letter is from the bank. Another quick check is to look at the URL (web address) you’re being sent to. For example, in a legitimate email from INB the mailing address will include the domain we own and use: inb.com.
Another common ploy is an email message that claims a payment failed and asks you to complete the payment through a
QR code. NEVER follow the link! If you’ve made a purchase and want to verify a payment, call the organization you made the payment to and confirm the content of the email. Never use the phone number included in the email; it’s likely linked to the same bad actor who sent the letter or email. Go to the business’s official website and use the contact information found there.
If you are the victim of a quish scam, immediately call INB and have your account access blocked. Then, be diligent about monitoring your accounts for suspicious activity.
Finally, if you are the victim of any scam, don’t be embarrassed! Scammers are very good at their “jobs.” Call us and call your local police department to report any loss.
How INB Protects Customers
At INB, we prioritize your security by partnering with cybersecurity companies that provide a wide range of security solutions. This protection is invaluable in safeguarding both our organization and you. And while most QR codes are legitimate, it’s important to practice caution, especially where your finances are involved.