A seemingly innocuous square sticker on a parking meter in Thornaby, England, recently cost a 71-year-old woman her identity and a £7,500 loan. She scanned the QR code, entered her details, and unwittingly handed her life over to criminals. This is just one example of a rapidly growing global fraud known as "quishing" – QR code phishing – and if you own a smartphone, you're a potential target.
QR codes, initially designed for tracking car parts on Toyota's assembly line in 1994, have become ubiquitous. These "Quick Response" codes can store web links, payment instructions, Wi-Fi credentials, and more. However, their inherent weakness lies in their opacity: you can't visually assess where a QR code leads before scanning it, creating an opportunity for scammers to exploit this blind trust.
Quishing scams come in various forms. The "sticker swap" involves criminals replacing legitimate QR codes with fake ones on parking meters or public notices, directing victims to fraudulent websites. The "email trap" uses QR codes in phishing emails that bypass corporate security systems, leading employees to scan with their personal devices, creating a "mobile scanning gap." Other methods include unsolicited packages with malicious QR codes and scams involving Bitcoin ATMs.
The numbers are alarming. Security firm Barracuda documented a 587 percent increase in quishing incidents during 2023 alone. More than 26 million Americans have been directed to malicious websites through QR codes. Even nation-states are getting involved; the FBI confirmed that North Korean hackers are using QR codes in espionage campaigns. INTERPOL got involved in October 2024 with "Operation Contender 2.0," arresting eight suspects in Côte d'Ivoire and Nigeria who had targeted Swiss citizens with QR code phishing, resulting in $1.4 million in losses.
Protecting yourself requires vigilance. Before scanning, physically inspect QR codes for sticker overlays or inconsistencies. After scanning, carefully review the URL preview for misspellings or suspicious domains. Be wary of requests for login credentials or financial information that seem out of context. Treat QR codes in emails with extreme caution, and never scan them from unsolicited packages. If you suspect a scam, immediately disconnect your phone from the internet, change passwords, run a security scan, and report the incident to the appropriate authorities, such as the Canadian Anti-Fraud Centre.
The rise of quishing is a stark reminder that technology's convenience can be exploited. By adopting a cautious mindset and following these guidelines, you can significantly reduce your risk of becoming a victim. Remember, the most effective defense is to pause, look, and ask yourself if something feels wrong before you scan.