Department of Information Technology

Latest Cyber Threat: Quishing

woman scanning a QR code on her mobile device.The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warns of two recent phishing campaigns involving QR codes, known as 'Quishing' or QR-phishing. In quishing scams, cyber criminals generate fake QR codes that mimic legitimate ones in order to deceive users into providing their personal information, such as login credentials or financial information. Once the code is scanned, it takes the user to a counterfeit website where they are prompted to enter sensitive data.

The recent quishing campaigns observed by the NJCCIC involved emails impersonating IT departments indicating that the user could scan the QR code to initiate updates or maintenance of 2FA (two-factor authentication). The campaign included two methods of sending users the fake QR codes, one inserted the code directly in the body of the email, while the other attached the QR code in a PDF.

Separately, the Better Business Bureau (BBB) recently reported a QR code fraud scheme in which scammers placed fake QR code stickers on top of legitimate ones in order to send drivers to fraudulent sites to pay for parking.

Protect Yourself from Quishing Attempts

There are a few different ways in which scammers use QR codes to steal personal information or commit other crimes:

  1.  You Could Be Directed to a Phishing Website
    The website may look legitimate, but you will be prompted to enter personal information, such as your name, phone number, and credit card number. Scammers then use this to steal your financial information and/or identity.

  2. Your Device Could Get Infected With Malware
    QR codes can be configured to automatically download content onto your devices such as malware, ransomware, and trojans. Some infections have the ability to track you, steal your private data, encrypt your device, and even spy on you.

  3. The QR Code Could Send Emails from Your Accounts
    The codes can be programmed to access payment sites, monitor social media accounts, and send pre-written emails. For instance, a fake QR code can create and send emails from your account if you scan it.

What to Look Out For

There are some signs that indicate if you are dealing with a fraudulent QR code.

  • Preview the URL destination before accessing the link on your phone; look out for URLs that are unreadable or shortened.
  • Check if you are being directed to a 'secure' site, especially if you are asked to enter credit card or payment information. Secure sites will use HTTPS rather than HTTP and will have a padlock icon next to the URL.
  • Look out for red flags on the website, such as mispellings, low-quality images, and inaccuracies.
  • Be cautious with QR codes in public places or in the mail. Avoid scanning these as much as possible to minimize the risk of infection.

If You Accidentally Scanned a Fake QR Code

If receive an email with a suspicious or unsolicited QR code, report it!  Click the “Report Phish” button, located in the top navigation of your email account, to send the email to IT Security for investigation.  If you are unable to find the button, open a ticket with the Technology Service Desk by forwarding the phishing email to [email protected].  

If you accidentally scanned a fraudulent QR code or provided any information before recognizing the phishing attempt:

  • Disconnect from your Wi-Fi or cellular network immediately. If you downloaded malware onto your device, turn off any internet connection as soon as you realize the file might be corrupt.
  • Change the passwords of any compromised accounts.  
  • If you’ve provided credit card or banking information, contact your bank and financial institutions to make them aware of the situation.  
  • Lastly, report the phishing attack to Information Security to receive recommendations for additional steps. 

Visit NJCCIC for the latest information on cyber threats targeting New Jersey. 

Categories: Science and Technology

For more information, please contact: