What is ‘quishing’? Malicious QR codes out for your money, info – NBC 7 San Diego

QR codes are everywhere. They’re easy to use, convenient for everyone and save a whole lot of time. Just aim the camera on your phone, click and straight to a website you go. But they also have a darker side.

The convenience of QR codes

Would you like to check out the menu at your favorite restaurant? Click on the QR code.

How about applying for credit at your go-to electronics or clothing store? Click on the QR code.

Do you want to know the latest weather update? NBC 7 has a QR code for you.

“They have kind of revolutionized the way we get access to information quickly,” said James Chatwani, senior security strategist with Guidepoint Security.

He explained that QR codes have been around longer than most people think, but they really took off during the pandemic.

QR codes shot up in popularity during the pandemic, particularly to access menus at restaurants.

“If you think about it, the restaurant menus went out the window, if you will, and QR codes really became the norm,” he said. “So today, we use it for anything, from restaurant menus to paying parking fees and airline tickets.”

The dark side of QR codes

You know who else is taking advantage of QR codes? Scammers!

It’s called “quishing”. Malicious QR codes are used to grab your money, personal and financial information, or to download malware to your phone.

Here are just a few ways quishing might, well, quish you.

James Chatwani from Guidepoint Security warns about the risks of blindly trusting QR codes.

“It’s really easy to put a fraudulent QR code sticker over a real one, and so really leading consumers to potentially access websites that are malicious,” he explained.

Parking meters are a good example of this. The city of San Diego issued an alert last year warning of malicious QR codes placed over the legitimate ones in other Southern California cities. Fortunately, not in San Diego — at least, not yet.

Southern California cities (not San Diego) have reported malicious QR codes placed on parking meters.

In July, SDG&E warned customers that QR codes were being used by people pretending to be agents collecting on overdue bills

The FTC advised you should stay away from QR codes included in unexpected small gifts you may get in the mail.

“Be vigilant and make sure that if you are clicking on a QR code, that it is taking you to a website that doesn’t look malicious or have a lot of misspellings that could potentially look like something that’s been spoofed or faked,” Chatwani said.

Sage advice, as 73% of Americans scan QR codes without verification, according to cybersecurity company NordVPN.

“And they all kind of look the same, right, with very little differences. It’s very hard to distinguish what really is a valid one and what isn’t,” the cybersecurity expert said.

How not to get “quished”

If you get a message urging you to scan a QR code to pay a bill, fine or whatever, ignore it. Just go straight to the source to make sure you owe what they say and pay it there.

As for parking meters, it’s safest to tap a card to pay. The city of San Diego said the QR codes they have on their meters are only for downloading their Park Smarter app.

If you get an unexpected gift in the mail with a QR code for you to scan, don’t — at least not without first researching what it’s all about.

“Making sure that you’re only clicking on trusted QR codes is really the best way to keep yourself safe,” Chatwani said, adding that you should notify the company, organization or impersonated agency, so they can report it to law enforcement and get the word out to their clients.

QR codes are everywhere, after all, and are likely here to stay.