How to prevent quishing attacks
Phishing is a cybercrime in which a target or targets are contacted through email, by someone posing as a legitimate organisation to lure individuals and companies into providing sensitive data. A form of phishing is quishing, which uses QR codes to lure you to nefarious websites. As with any type of phishing, the best defence against quishing attacks is to be aware of the threat.
Organisations and individuals should follow the following tips to avoid falling prey to this scam:
- Never scan a QR code from an unfamiliar or unexpected email.
- If you receive a QR code from a trusted contact via email, confirm via a separate medium e.g., text message, voice call, etc., that the message is legitimate.
- Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions – e.g., sympathy, fear, etc.
- Review the preview of the QR code’s URL before opening it to see if it appears legitimate. You can do this by opening your mobile device camera and pointing this at the QR code. This will identify the webpage link and provide the site address the code will take you to. Make sure the website uses HTTPS rather than HTTP, doesn’t have obvious misspellings and has a trusted domain. Don’t click on unfamiliar or shortened links.
- Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.
- Consider using a password that’s made up of three random words, you’re creating a password that will be strong enough to keep the criminals out, but easy enough for you to remember. Never use the same password for more than one account.
Organisations should also consider additional security controls that can help combat multiple types of phishing attacks and mitigate the damage if one is successful. These include the following:
- Allow-listing and block-listing.
- Anti-spam filters.
- Strong email security policies.
- Strong password policies.
- Multi-factor authentication.
- Anti-malware software.
- Email security gateways.
- Threat intelligence services.
Advice for victims of quishing attacks:
If you or someone you know has been a victim of a quishing attack, don’t feel embarrassed, help and support is available.
- Contact the Police. The police will take your case seriously and will deal with it in confidence.
- Report to National Cyber Security Centre (NCSC). NCSC is a UK government organisation that has the power to investigate and take down scam email addresses and websites. If you have received an email which you’re not quite sure about, forward it to [email protected]
Information from Police Scotland Cybercrime Prevention Team
Related content
Self Assessment customers are urged to be on the lookout for scam texts, emails and phone calls from fraudsters.
With around 12 million people expected to submit a Self Assessment tax return for the 2022 to 2023 tax year before the 31 January 2024 deadline, fraudsters will prey on customers by impersonating HMRC.
As of late May/June 2021, the National Cyber Security Centre (NCSC) is investigating another increase in ransomware attacks against schools, colleges and universities in the UK. The NCSC has previously highlighted an increase in ransomware attacks on the UK education […]
Our colleagues at the National Cyber Security Centre (NCSC), the UK’s technical authority on cyber security, have issued an advisory highlighting the activities of the Russia-based SEABORGIUM and Iran-based TA453.
These state sponsored threat actors continue to successfully use spear-phishing attacks against targeted organisations and individuals in the UK, and other areas of interest, for information gathering activity.
Although there is similarity in the tactics techniques, procedures and targeting profiles, these campaigns are separate and the two groups are not collaborating.