Phishing and Vishing I knew about, but Quishing??
Quishing, also known as QR code phishing, is a type of phishing attack that involves tricking someone into scanning a QR code using a mobile.
Scanning the QR Code could take them to a fake website, download malware or ask a user to input sensitive information.
How does Quishing work?
The attacker sends a QR code in an email that looks legitimate, such as one from Microsoft or DocuSign. Then they place the QR code as an image somewhere in the email and encourage the user to scan it.
Not only can Quishing happen via email, but it can also happen via social media or even physical channels such as flyers or posters.
Can you spot a Quishing email?
The email has been sent from an unknown sender address. Were you expecting to hear from this sender? Some phishing emails can come from what look like legitimate email addresses – simply hover over the address to confirm the sender’s identity.
The email was sent from an external sender. Always treat external emails with caution.
The subject line plays on emotion and, on this occasion, curiosity. Genuine emails may contain catchy subject lines, so be wary and check for other signs.
The greeting is a general one. This is a red flag. Remember, sophisticated criminals may well target you by name, so always be careful. Sometimes you may notice your personal emails are addressed to ‘Dear member’ or ‘Dear account holder’. Be wary of greetings like this.
Clickable links can be malicious and take you to fake websites or download viruses to your device. Hover over the link to reveal the true address.
Protect against Quishing emails:
- Unrecognised sender address – Check the sender address. Be suspicious of the sender ID and profile photo, as they are easy to fake.
- Never scan – a QR code from an unrecognised source.
- Verify – If you receive a QR code from a trusted source via email, check it’s genuine via an alternative channel (text message, voice call, etc.)
- Look out – for urgent or demanding language, bad spelling and grammar.
- Check the link – of any websites you are taken to.
- Don’t share – Business or personal information, login credentials or payment details.
Learn more about Quishing, other phishing attacks and how to report by searching Cyber Security on Inside Unilever.
