Don’t Get Scanned! Staying Safe from Quishing and Malicious QR Codes

QR codes (Quick Response code) are everywhere—on restaurant menus, posters, payment terminals, and even in your school hallways. They’re convenient, fast, and a huge part of modern life.

But with great convenience comes a new digital security risk: quishing.

Quishing is a form of phishing that uses malicious QR codes to trick you. Just like a phishing email tries to steal your passwords or install malware, a quishing attempt tries to lure you into a dangerous action simply by scanning a code. Scanning a malicious QR code is just as bad as clicking a suspicious link in your texts or email!

4 Simple Rules for QR Code Safety

Your smartphone’s camera or a dedicated scanner app can’t tell the difference between a helpful, legitimate QR code and one created by a scammer. It’s up to you to verify the validity of QR codes.

Here are the four essential safety rules to follow before you scan:

1. Inspect the QR code

Hackers don’t need to put up their own QR code, they can place QR code stickers over legitimate QR codes to trick you into scanning.

• Look closely: Is the QR code a sticker on top of a print out? Is it misaligned, raised, or peeling.
• If it looks suspicious, don’t scan it: Use the physical sign-up form, manually type in the website address, or find an official source for the information.
• Better safe than sorry: It is always better to not scan a legitimate QR code than to scan a malicious QR code.

2. Always Review the Link Before You Tap!

This is your most important safeguard. When you scan a QR code, your phone or scanner app will almost always show you the URL (web address) it’s trying to take you to before it opens the page.

• Stop and read: Before you tap “Open” or “Go,” look at the address. Does the website name look correct? Is it a short link (like bit.ly or tinyurl) that could be hiding a dangerous address?
• Check for odd spelling: A malicious link may look like a real one, but with a small change, like yootube.cominstead of youtube.com or bankofamericca.com instead of bankofamerica.com. Even if you recognize the link, it may not be safe. Hackers use Unicode lookalikes in URLs to use characters that look identical to another letter but are read differently by your device.
• Be wary of downloads: If the link is trying to download a file or an app directly to your phone, do not proceed unless you are absolutely certain of the source.

3. Be Skeptical of Unexpected Prompts

QR codes may take you to websites that look like login pages but actually record your username and password.

• Asking for a login: If the code was just supposed to show you a school event schedule, why is it suddenly asking for your email password or student ID and PIN? Legitimate sites rarely ask you to log in immediately after scanning a QR code.
• Don’t say yes to privilege prompts: If you get a pop up saying the website wants to access your location, click don’t allow unless that information should be required.

4. Protect Your Personal Information

If a QR code takes you to a payment, login, or survey page, ask yourself: Is the URL secure?

• Check if the website uses HTTPS: Always look for the padlock icon in your browser’s address bar. This indicates the connection is encrypted (using HTTPS), which makes it harder for others to steal your information as you type it.
• If the page looks like a login screen but does not use HTTPS: Do submit any sensitive information through a page that does not use HTTPS.

---

Key Takeaway

QR codes are just links in a picture format. Treat them with the same caution you would an email from an unknown sender. If you didn’t expect the code, or if the result of the scan looks strange, just hit ‘Back’ or close the browser tab.

By following these simple steps, you can use the convenience of QR codes without falling victim to quishing scams. Stay safe and happy scanning!