QRishing is a form of phishing attack where hackers exploit QR codes to steal private information, install malicious software on a device, or direct a person to an unsafe website.

So how do these attacks work? How can you avoid falling victim to a QRishing attack?

What Is QRishing?

QRishing exploits the tendencies of phone users to scan QR codes out of curiosity, boredom, or necessity.

For instance, the attacker may leave flyers at a bus stop or on tables at restaurants or coffee shops. When a person scans the QR code with their phone, thinking it's an advert or menu, it displays a URL, an image, or a map with directions to a location, among other things.

From here on, scammers rely on social engineering to trick victims into sharing sensitive information. Hackers may also exploit vulnerabilities like WebKit bugs in a browser to take over the victim’s device.

How Does QRishing Work?

Qr Code on Screengrab

Of course, not everyone would scan a random QR code without an incentive or a caption explaining what they can expect to see. So cybercriminals often find another way to get people interested.

A cybercriminal may take a flyer from, say, a popular financial institution or government agency. Next, they change the QR code but keep other details or designs and share the flyer online. They may also post them in public places where people can see and scan the QR code. This particular trick was well reported after the Coinbase QR Code ad at the 2022 Super Bowl went viral.

Paste Fake Flyers With the QR Code

Here, a cybercriminal may create fake flyers with a QR code created to direct people who scan them to a website where the attacker can steal their data. Even if this attempt fails, the attacker may still gather device and location data from the victim’s browser. Worse still, a determined attacker could use browser fingerprinting to track a victim online.

Embed the QR Code in a Scam Email

This form of QRishing is typically part of conventional email phishing methods. Unlike shortened hyperlinks, hovering over a QR code doesn’t show the destination URL, so, for example, it's easy for a scammer to tell a potential victim to scan a QR code for a chance to win a gift card.

How to Avoid QRishing

Scanning and reading a QR code mostly requires two things: a camera and a browser to follow the information in the QR code. As it's so simple, that means it's simple to avoid falling victim too. Here's how.

Block Camera Access on Your Phone

Screenshot of Notification Center
Screenshot of Disabled Camera Interface

Most people have their phone cameras ready to capture important moments or do video calls. This is understandable. But having an always-activated camera can also make it easy for you to scan a QR code without giving it a second thought.

Consider deactivating your iPhone camera when it’s not in use. One quick way to do that is to swipe down from the notification area and block camera access. The other way is to navigate to Settings > Apps > Permissions. You may then disable the camera or set it to ask for access permissions every time you want to use the app. The process is similar for Android users.

Without a doubt, you will feel this lifestyle change, especially if you use your camera a lot. Still, the occasional inconvenience of disabling and enabling your camera is worth the extra security against QRishing and third-party apps that access your camera.

Keep Your Software Updated

Hackers can exploit software vulnerabilities in your apps or phone operating system without your knowledge. For example, hackers can exploit WebKit security vulnerabilities in your browser to hack your phone, tablet, or even smartwatch. Consider setting your devices to auto-update apps and install security updates as soon as they become available.

Avoid Sharing Sensitive Information Online

Scanning a QR code may direct you to a web page or online form where you’ll be asked to provide information like your biodata, email address, account passwords, or card details for a chance to win a fictitious prize.

As a rule of thumb, avoid sharing any personal data online. Besides the risk of having your account hacked or money stolen, cybercriminals may also use the details you shared to steal your identity.

Think Before You Scan

You don't have to scan every QR code that's presented to you. Stay skeptical, and refrain from scanning anything unnecessarily. In most cases, you can check a firm's website or menu by searching for it online first.

QRishing: Less Common, but Stay Ahead

QRishing is less common than other types of phishing because an attacker would need to invest some effort into distributing the malicious QR code. However, this form of phishing is relatively new, and not many people know about it, which means people can easily fall for it. Cybercriminals who carry out these attacks have everything to gain and nothing to lose.