QR code helps us to scan restaurant menus, pay for products or services online and offline and access websites with greater ease. But experts have expressed concern over the ease with which unknown QR codes are being used by scammers to con users. This is called quishing – which comes from combining QR and phishing.
Oman Observer is now on the WhatsApp channels. Click here
“With the increase in digitisation, using QR codes have become one of the common techniques in our day-to-day life as they allow us to do cashless payments, provide quick feedback/review for a vendor, navigate to a virtual menu at a restaurant. These QR codes are found physically pasted or virtually embedded as an e-mail, advertisement, or an online website,” Payal Sampat Dutia, a cyber security expert, told the Observer.
“QR code makes mundane activities quick and easier, but hackers and cyber criminals are using quishing to trick someone into scanning a QR code using a mobile phone and directing them to a fraudulent website that might download malware or ask for sensitive information."
Payal said people need to be vigilant when looking at QR codes. “Do not scan an unfamiliar QR code. QR stands for quick response code. As its purpose is for quick navigation and action, attackers and cyber criminals utilise this technique to execute their malicious intent,” she said.
“Do not enter password or sensitive information by scanning a QR code, be vigilant about the landing page or the output once the QR code is scanned. Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter,” she added.
She called on people to stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions like sympathy, fear, among others. “Do not download an app from a QR code. Use your phone's app store for a safer download,” Payal said.
Tariq al Barwani, an IT expert, was of the view that the QR code one receives may simply direct him or her to a phishing website where information can be stolen. “Think of quishing as an evolved manipulative mechanism of the traditional phishing where QR codes are used to achieve the same goal, and thus the name quishing. The QR code you receive may simply direct you to a phishing website where your information can be stolen,” he said.
“I personally feel many people would fall victim to this technique because it is not an easy one to identify, because a QR code is just a QR code, nothing from the looks of it shows that it is a manipulative one. Furthermore, many of the existing e-mail security tools may not be able to identify quishing, letting it pass to your inbox, and consequently reaching you to be phished. The same applies to web browsers too,” he said.
Al Barwani recommended some of the measures that people need to take. “Include checking with the sender or owners of the QR code (be it the bank, restaurant, service provider etc) on the legitimacy of the e-mail sent or the poster used for the QR code in question. I am pretty sure very soon many QR code scanners, apps, e-mail and web browsers will incorporate mechanisms to check the legitimacy of the QR codes, until then, people need to keep updating their devices to ensure they are safe,” he said.
BE VIGILANT
1. Do not scan an unfamiliar QR code
2. Do not enter password or sensitive information by scanning a QR code
3. Once you scan a QR code, check the URL to make sure it is the intended site
4. Stay alert for hallmarks of phishing campaigns
5. Do not download an app from a QR code
Oman Observer is now on the WhatsApp channel. Click here
