Banks and Regulators Warn of Rise in 'Quishing' QR Code Scams 39
Banks and regulators are warning that QR code phishing scams -- also known as "quishing" -- are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. From a report: Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.
The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.
The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.
I've never liked QRs (Score:5, Insightful)
"Here's a incompletely human-incomprehensible piece of data designed to encode something that you have no idea what it'll do other than what we tell you. It'll be fine, trust us."
Re: (Score:2)
And how is that different from a hyperlink [example.com]?
Re: (Score:3)
A hyperlink [goatse.cx] has at least the potential to be confirmed as something safe and familiar.
Re: (Score:2)
It's just another link scam except not in email. Hmph.
If you are over 13 why are you trusting anything digital anymore?
Re: (Score:3)
"If a QR code is just an embedded address it is just an html link that could be shown to the user BEFORE loading and ask 'does this look right to you?' 'Are you sure'?"
Yes, you can decode the QR contents first and see what it is. But it's an extraneous fiddly step much more inconvenient than simply mousing over a hyperlink to see its destination displayed.
Re: (Score:2)
I don't know what y'all are using, but Google Lens shows you the URL automatically when you point it at a QR code that encodes a link, you can the choose whether or not to visit it, so I would say pretty equivalent experience to using a hyperlink.
Re: (Score:2)
A QR code can be anything.
A picture of your baby.
Or my bank account info and an amount I expect you to transfer. So, you scan it. See my name, see the amount, click ok, click finish, and your bank transfers the money. No damn web / html or anything involved.
QR codes have absolutely nothing to do with web addresses. Unless: you intentionally encode a web address as QR code.
Re: (Score:2)
Unless: you intentionally encode a web address as QR code.
And that is exactly what the rest of us are discussing...
Re: (Score:2)
Before browsers started obscuring them, you used to see entire links before you interacted with them, and human readability was a feature. Ironically Slashdot itself undermined your example by prominently displaying the associated domain.
Many QR code interfaces are now displaying the underlying URL before proceeding to enable discriminating.
Re: (Score:2)
I cannot remember ever using a QR code reader which didn't show the URL and ask what I wanted to do with it, hence my question. A grid of black and white squares is not inherently more or less opaque than arbitrarily chosen anchor tag content.
Re: (Score:2)
"I cannot remember ever using a QR code reader which didn't show the URL and ask what I wanted to do with it."
I don't tend to use QRs much. I don't recall a QR reader ever doing that for me. If they do do that on a regular basis, then that's much better.
Re: I've never liked QRs (Score:2)
Re: (Score:3)
Have you met users? You could show a giant red warning that says "DANGER! THIS IS A MALICIOUS LINK! CLICKING ON IT WILL GET YOU ROBBED AND FIRED!" and they'll still click on it, fill out all the forms, and then two weeks later open a helpdesk ticket to report it. It barely matters if it shows you the underlying URL or not, except to the sort of people who read slashdot.
Re: (Score:3)
It's the same people that don't check a link in an email or if they do check it they don't grasp that
Re:I've never liked QRs (Score:5, Informative)
And how is that different from a hyperlink [example.com]?
At least with a hyperlink, you can visually see what the FQDN is. If it is amazon.com, apple.com, or company name you have actually heard of, you can likely proceed with reasonable confidence. If it is amaz0n.com, you know something is fishy. With a QR code, you can't even eyeball it for sanity.
Re: (Score:3)
At least with a hyperlink, you can visually see what the FQDN is. If it is amazon.com, apple.com, or company name you have actually heard of, you can likely proceed with reasonable confidence. If it is amaz0n.com, you know something is fishy. With a QR code, you can't even eyeball it for sanity.
False. A QR code is just text and any QR code reading tool even remotely worth its salt will offer you a preview of that text and not just blindly execute something. The only purpose of an automatically executing QR code is special purpose applications, such as a handshake for a login, and you wouldn't be worried about a Quishing attempt there since it's something you literally need to initiate yourself.
Re: (Score:2)
The rest of the article:
Researchers and fraud managers said it was hard to estimate the costs of “quishing” as cyber security companies and banks do not typically log the format of malicious links and because such emails may be just one element in a broader cyber attack.
But research by IBM found that “phishing” attacks — which involve scammers send targeted emails with malicious links — are increasingly expensive to companies, with the global average cost of a data breach rising nearly 10 per cent to $4.9mn in 2024.
QR codes contain data, such as URLs or payment information, in binary code. Invented by Japanese company Denso Wave in 1994 as a tool for tracking auto parts, these codes are designed to be quickly readable by machines, particularly smartphones, but are generally illegible to humans.
Although most smartphones display a short preview of the URL contained in a scanned QR code, researchers have said that this pop-up is generally not sufficient for users to be able to detect that a link might be fraudulent.
“These attacks take advantage of the fact that QR codes, by nature, are difficult to interpret visually, so victims often don’t know where they are being directed to until it’s too late,” said Amir Sadon, director of research at cyber security consultancy Sygnia.
Banks said that the prevalence of this kind of scam has accelerated since QR codes surged in popularity during the Covid-19 pandemic, when they were used to display everything from vaccine passports to restaurant menus. “It’s definitely a growing trend in terms of the number of reports we’re seeing,” said Steph Harrison, a senior fraud operations manager at TSB.
A survey by security software company McAfee in May found that more than a fifth of all online scams in the UK probably originated from QR codes. Reports of QR code scams in the UK more than doubled in the year to August 2024, according to Action Fraud.
The US Federal Trade Commission, as well as multiple local authorities across the UK, also warned this year about a specific kind of “quishing” scam targeting drivers, including cases where stickers directing users to fraudulent sites have been placed on top of legitimate QR codes used to pay for parking.
These links may direct users to an incorrect website and ask them to enter their details, or lead them to download malware. Worse still, said Harrison, “you could also get fined for not actually having a parking ticket”.
Victims have also reported fraudulent QR codes being placed over legitimate ones at EV charging points, train stations and restaurant tables.
But researchers said that “quishing” scams are most commonly deployed in emails — a threat that has put corporate security vendors under pressure to adapt their online defences.
“Today almost no [cyber security] products are looking through attachments,” said Wisniewski. “If this continues to be a problem, I suppose the industry will have to move there — but it will slow down the delivery of emails, and it will also make things more expensive.”
Re: (Score:2)
I will grant you that through various methods it is possible to obscure almost every detail one might make a trust decision on within a link. At least though if you are somewhat savvy you can 'spot' if the opacity is there for a technical reason or just to make it harder to know what your clicking on, or some mixture of the two, and make your choice informed by that judgement/information.
QR codes basically normalize near total opacity. A lot of QR code applications represent an interface designed to active
Re: (Score:2)
And how is that different from a hyperlink [example.com]?
you can put your mouse over the hyper link, and see where it's going to
Re: (Score:2)
"Here's a incompletely human-incomprehensible piece of data designed to encode something that you have no idea what it'll do other than what we tell you. It'll be fine, trust us."
QR codes are just text. Any competent application allows you to preview the contents to the text prior to doing anything with it. There is no implicit trust placed here unless you the user blindly apply that trust through the use of a crappy app or by setting your settings incorrectly.
A QR code is no worse than a link. You the user go to that link. It doesn't matter if it is a little picture with black squares or if it looks like this: this is not goatse.cx trust me [notareallink]
Re: I've never liked QRs (Score:2)
or by setting your settings incorrectly.
Which most people do. Even if they should know better. Because it's a second or two faster.
I was going to post a link to the graphic of the funny Windows Defender popup (the one with the button that says "make this message go away and get on with things"). But most of what came up in my search was how to turn security warnings off.
Re: (Score:2)
Man, you must really hate bar codes too...
Re: (Score:2)
I use a QR scanner from F-Droid, https://f-droid.org/packages/c... [f-droid.org] - when you scan a link, it prominently shows you where it's leading and requires you to tick a checkbox "I've verified this link, fire up the browser to go there". So you cannot just click through.
No difference to a hyperlink really.
Re: (Score:2)
Here's a computer system which will, without any confirmation from the user, download and execute computer code from any location it sees. What could possibly go wrong?
Maybe we should recognize that certain vendors simply don't build secure systems, and refrain from using those vendors for anything involving money or value.
Re: (Score:2)
Stop trying to make Quishing a thing (Score:3)
Re:Stop trying to make Quishing a thing (Score:5, Funny)
Stop quomplaining.
Re: (Score:2)
You win the internet for an hour. Well played.
Re: (Score:2)
I feel like the new cyber security words are all made up by CompTIA so to sell people new Security+ text books.
Re: (Score:2)
I feel like the new cyber security words are all made up by CompTIA so to sell people new Security+ text books.
This. I imagine KnowBe4 has a hand in it as well in order to sell annual "security" training.
Re: (Score:1)
That's a strange way of saying you've never met anyone that actually works in security. Where do you think these silly terms came from in the first place. A quick google search of the term will tell you that it's already a thing, you can get onboard with nomenclature used or you can forever be considered that one stubborn person who has trouble communicating with others.
Re:Stop trying to make Quishing a thing (Score:4, Insightful)
That's a strange way of saying you've never met anyone that actually works in security. Where do you think these silly terms came from in the first place. A quick google search of the term will tell you that it's already a thing, you can get onboard with nomenclature used or you can forever be considered that one stubborn person who has trouble communicating with others.
Weird... and here I thought my Masters in Information Assurance and 3 decades of experience actually meant something all this time.
Re: (Score:2)
No, it just means you have paperwork. Degrees are meaningless, especially in the context of IT where your attempt to demonstrate relevance points more to someone who did something 3 decades ago. For that you're better off rattling off a list of continuous learning you've done, industry conferences you've attended, you know, anything relevant in the time frame of the past year where the term quishing has been a thing instead of bragging about something you did 30 years ago when camera phones didn't even exis
Re: (Score:2)
Let me clear that up for you... my cybersecurity degree was obtained in 2016 at USF. Granted, that's not exactly "recent" in technology terms... but also not quite as ancient as you assumed.
Since then, I went ahead and got another Masters in CS from Georgia Tech... I like to keep my skill set up to date.
Earning 5 degrees (and stacks of certs) over the years doesn't just mean I have paperwork... it shows dedication to continu
Re: (Score:2)
The key here is the phrase "works in". People who sell security products and services love these words, because it makes it sound like the products do more. "We protect you from phishing, vishing, smishing, and quishing!" They make up the words and use them in their advertising and product sheets.
On the other hand, the people who actually use those products and services just roll their eyes and lump all of these together as "phishing". If it's actually important to distinguish them they'll say something l
Re: (Score:2)
Those terms are used in industry, but not by anyone who does the actual work.
Preach!
Re: (Score:2)
Haven't you heard? Squids run the Deep State, and control naming.