How to prevent quishing attacks

Phishing is a cybercrime in which a target or targets are contacted through email, by someone posing as a legitimate organisation to lure individuals and companies into providing sensitive data. A form of phishing is quishing, which uses QR codes to lure you to nefarious websites. As with any type of phishing, the best defence against quishing attacks is to be aware of the threat.

Organisations and individuals should follow the following tips to avoid falling prey to this scam:

  • Never scan a QR code from an unfamiliar or unexpected email.
  • If you receive a QR code from a trusted contact via email, confirm via a separate medium e.g., text message, voice call, etc., that the message is legitimate.
  • Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions – e.g., sympathy, fear, etc.
  • Review the preview of the QR code’s URL before opening it to see if it appears legitimate. You can do this by opening your mobile device camera and pointing this at the QR code. This will identify the webpage link and provide the site address the code will take you to. Make sure the website uses HTTPS rather than HTTP, doesn’t have obvious misspellings and has a trusted domain. Don’t click on unfamiliar or shortened links.
  • Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.
  • Consider using a password that’s made up of three random words, you’re creating a password that will be strong enough to keep the criminals out, but easy enough for you to remember. Never use the same password for more than one account.

Organisations should also consider additional security controls that can help combat multiple types of phishing attacks and mitigate the damage if one is successful. These include the following:

  • Allow-listing and block-listing.
  • Anti-spam filters.
  • Strong email security policies.
  • Strong password policies.
  • Multi-factor authentication.
  • Anti-malware software.
  • Email security gateways.
  • Threat intelligence services.

Advice for victims of quishing attacks:

If you or someone you know has been a victim of a quishing attack, don’t feel embarrassed, help and support is available.

  1. Contact the Police. The police will take your case seriously and will deal with it in confidence.
  2. Report to National Cyber Security Centre (NCSC). NCSC is a UK government organisation that has the power to investigate and take down scam email addresses and websites. If you have received an email which you’re not quite sure about, forward it to [email protected]
Police Scotland

Information from Police Scotland Cybercrime Prevention Team

Back to top of the page