'Quishing' scams dupe millions of Americans as cybercriminals exploit QR codes
'As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous,' said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.
Brewer says that attackers exploit these seemingly harmless symbols to trick people into visiting malicious websites or unknowingly share private information, a scam that has become known as 'quishing.'
The increasing prevalence of QR code scams prompted a warning from the Federal Trade Commission earlier this year about unwanted or unexpected packages showing up with a QR code that when scanned 'could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.'
State and local advisories this summer have reached across the U.S., with the New York Department of Transportation and Hawaii Electric warning customers about avoiding QR code scams.
The appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest.
'The crooks are relying on you being in a hurry and you needing to do something,' said Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester.
On the rise as traditional phishing fails
Sharma expects QR scams to increase as the use of QR codes spreads. Another reason QR codes have increased in popularity with scammers is that more safeguards have been put into place to tamp down on traditional email phishing campaigns. A study this year from cybersecurity platform KeepNet Labs found that 26 percent of all malicious links are now sent via QR code. According to cybersecurity company, NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites.
'The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,' Sharma said.
Sharma is working to develop a 'smart' QR code called a SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams. But first, he needs buy-in from Google and Microsoft, the companies that build the cameras and control the camera infrastructure. Companies putting their logos into QR codes isn't a fix because it can cause a false sense of security, and that criminals can usually simply copy the logos, he said.
Some Americans are wary of the increasing reliance on QR codes.
'I'm in my 60s and don't like using QR codes,' said Denise Joyal of Cedar Rapids, Iowa. 'I definitely worry about security issues. I really don't like it when one is forced to use a QR code to participate in a promotion with no other way to connect. I don't use them for entertainment-type information.'
Institutions are also trying to fortify their QR codes against intrusion.
Natalie Piggush, spokeswoman for the Children's Museum of Indianapolis, which welcomes over one million visitors a year, said their IT staff began upgrading their QR codes a couple of years ago to protect against what has become an increasingly significant threat.
'At the museum, we use stylized QR codes with our logo and colors as opposed to the standard monochrome codes. We also detail what users can expect to see when scanning one of our QR codes, and we regularly inspect our existing QR codes for tampering or for out-of-place codes,' Piggush said.
Museums are usually less vulnerable than places like train stations or parking lots because scammers are looking to collect cash from people expecting to pay for something. A patron at a museum is less likely to expect to pay, although Sharma said even in those settings, fake QR codes can be deployed to install malware on someone's phone.
Apple, Android user trust is an issue
QR code scams are likely to hit both Apple and Android devices, but iPhone users may be slightly more likely to fall victim to the crime, according to a study completed earlier this year by Malwarebytes. Users of iPhones expressed more trust in their devices than Android owners and that, researchers say, could cause them to let down their guard. For example, 70% of iPhone users have scanned a QR code to begin or complete a purchase versus 63% of Android users who have done the same.
Malwarebytes researcher David Ruiz wrote that trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know about) using additional cybersecurity measures, like antivirus. Fifty-five percent of iPhone users trust their device to keep them safe, versus 50 percent of Android users expressing the same sentiment.
Low investment, high return hacking tactic
A QR code is more dangerous than a traditional phishing email because users typically can't read or verify the encoded web address. Even though QR codes normally include human-readable text, attackers can modify this text to deceive users into trusting the link and the website it directs to. The best defense against them is to not scan unwanted or unexpected QR codes and look for ones that display the URL address when you scan it.
Brewer says cybercriminals have also been leveraging QR codes to infiltrate critical networks.
'There are also credible reports that nation-state intelligence agencies have used QR codes to compromise messaging accounts of military personnel, sometimes using software like Signal that is also open to consumers,' Brewer said. Nation-state attackers have even used QR codes to distribute remote access trojans (RATs) — a type of malware designed to operate without a device owner's consent or knowledge — enabling hackers to gain full access to targeted devices and networks.
Still, one of the most dangerous aspects of QR codes is how they are part of the fabric of everyday life, a cyberthreat hiding in plain sight.
'What's especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised. Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception,' Brewer said.
Rob Lee, chief of research, AI, and emerging threats at the cybersecurity training focused SANS Institute, says that QR code compromise is just another tactic in a long line of similar strategies in the cybercriminal playbook.
'QR codes weren't built with security in mind, they were built to make life easier, which also makes them perfect for scammers,' Lee said. 'We've seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It's not panic-worthy yet, but it's exactly the kind of low-effort, high-return tactic attackers love to scale.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Upturn
an hour ago
- Business Upturn
Former CIA Insider Highlights America's Buried Advantage in Online Presentation
By GlobeNewswire Published on July 28, 2025, 02:00 IST Washington, D.C., July 27, 2025 (GLOBE NEWSWIRE) — Rediscovering America's Strategic Core In a released presentation , renowned former national security advisor Jim Rickards warns that the next major shift in U.S. policy may come not from Wall Street or Washington—but from beneath the surface of federally controlled lands. 'This story is not about real estate… the government retained the most valuable part'. Rickards points to a dormant but active legal provision—originally designed to encourage domestic growth—which may now hold the key to America's technological future. The Invisible Wiring of Modern Power The materials Rickards identifies are not commodities in the traditional sense—they are foundational enablers of global advancement: Application Mineral Inputs AI Chips & Data Centers Silicon, gallium, germanium, copper EV Batteries Lithium, cobalt, nickel, manganese, graphite Missile Systems & Drones Neodymium, dysprosium, samarium, rare earth alloys Satellite Navigation Indium, tantalum, beryllium, aluminum 'These seemingly obscure minerals… they're the building blocks of everything from NVIDIA chips to advanced military weapons'. Sources: U.S. Department of Energy CSIS Visual Capitalist A 150-Year-Old Law, Still in Effect Rickards centers the opportunity on Title 30—a little-known federal statute from the 1800s that allowed Americans to claim rights to public lands, which were often rich in mineral deposits. 'Back then, anyone could make a claim… pay $2 to $5 per acre… and do a minimal amount of work'. The framework still exists—and Rickards believes it may quietly be resurfacing to address modern strategic needs without requiring congressional debate. Technology May Be the Catalyst Rickards believes a convergence of technology and geopolitics is making this moment different: The use of AI mapping tools to identify previously unreachable mineral deposits The Pentagon's direct involvement in securing U.S. rare-earth supply chains Escalating foreign control over strategic mineral exports 'We have truly massive mineral wealth here. It's not hard to extract. We know where it is. And how to get it' About Jim Rickards Jim Rickards is a former advisor to the CIA, Pentagon, White House, and Treasury. His work has guided U.S. leadership during global crises including the Iran Hostage Situation and the 2008 financial collapse. He is the editor of Strategic Intelligence , a monthly report on national security, macroeconomics, and resource policy. Disclaimer: The above press release comes to you under an arrangement with GlobeNewswire. Business Upturn takes no editorial responsibility for the same. Ahmedabad Plane Crash GlobeNewswire provides press release distribution services globally, with substantial operations in North America and Europe.
Business Insider
5 hours ago
- Business Insider
‘It's an Easy Call,' Says Top Investor About Palantir Stock
Palantir (NASDAQ:PLTR) stock, like any investment, requires weighing the potential rewards against the risks. While the company continues to perform exceptionally well, the primary – and arguably only – factor giving investors pause is its elevated share price. Elevate Your Investing Strategy: Take advantage of TipRanks Premium at 50% off! Unlock powerful investing tools, advanced data, and expert analyst insights to help you invest with confidence. That concern hasn't slowed the stock's momentum. Palantir shares have surged by over 500% in the past 12 months, and late last week, the company reached yet another record high. Its valuation multiples now tower over sector medians by thousands of percentage points, raising questions about whether the fundamentals can keep pace with investor enthusiasm. Next week's Q2 earnings report, scheduled for August 4th, could provide a timely reality check. It offers a critical opportunity for the company to justify its lofty valuation – or fall short of the market's high expectations. Top investor Rick Orford, who's ranked among the top 1% of stock pickers on TipRanks, is leaning toward the former scenario. He anticipates another upswing in PLTR shares following the earnings release, making it an easy call given the current trajectory. 'Should Palantir hit its Q2'25 targets – and with how the wind is blowing, that could happen – I think Palantir shareholders will be pleased. His optimism is rooted in both historical performance and Palantir's current momentum. Historically, the stock has swung an average of 17.5% following earnings – a double-edged sword, but one that Orford believes will cut favorably this time. Central to that belief is the company's AI Platform (AIP), which helped drive a 39% year-over-year revenue increase last quarter. That growth has been especially notable in Palantir's U.S. commercial segment, where AIP adoption led to a 71% revenue spike in Q1. According to Orford, this surge reflects a broader trend: companies across the country are scrambling to implement AI but often lack the in-house expertise. Palantir's AIP provides them with a ready-made solution. 'American enterprises are most likely desperate to implement AI solutions, but not all of them have the technical expertise to do so. With AIP, these enterprises get what they need to implement custom AI into their operations,' the investor explains. Orford also sees Palantir's government work as a key stabilizing force. Its deep ties to the U.S. defense sector – with multi-year, high-margin contracts – offer a steady revenue stream that cushions any slowdown in the private market. 'Palantir checks all the boxes of an exciting, growing company that's at the intersection of two major trends: enterprise AI adoption and national defense modernization,' the investor sums up. 'Analysts say Hold, but history says otherwise.' Unsurprisingly, Orford gives PLTR shares a Strong Buy rating. (To watch Orford's track record, click here) The analyst consensus on PLTR is indeed a Hold, based on 10 Hold ratings, 4 Buys, and 3 Sells. The average 12-month price target stands at $109.50, implying a 31% downside from current levels. (See PLTR stock forecast) To find good ideas for stocks trading at attractive valuations, visit TipRanks' Best Stocks to Buy, a tool that unites all of TipRanks' equity insights.
NBC News
5 hours ago
- NBC News
'Quishing' scams dupe millions of Americans as cybercriminals exploit QR codes
QR codes were once a quirky novelty that prompted a fun scan with the phone. Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more about the eating habits of the woolly mammoth or military strategies of Genghis Khan. During the pandemic, QR codes became the default restaurant menu. However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity. 'As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous,' said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant. Brewer says that attackers exploit these seemingly harmless symbols to trick people into visiting malicious websites or unknowingly share private information, a scam that has become known as 'quishing.' The increasing prevalence of QR code scams prompted a warning from the Federal Trade Commission earlier this year about unwanted or unexpected packages showing up with a QR code that when scanned 'could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.' State and local advisories this summer have reached across the U.S., with the New York Department of Transportation and Hawaii Electric warning customers about avoiding QR code scams. The appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest. 'The crooks are relying on you being in a hurry and you needing to do something,' said Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester. On the rise as traditional phishing fails Sharma expects QR scams to increase as the use of QR codes spreads. Another reason QR codes have increased in popularity with scammers is that more safeguards have been put into place to tamp down on traditional email phishing campaigns. A study this year from cybersecurity platform KeepNet Labs found that 26 percent of all malicious links are now sent via QR code. According to cybersecurity company, NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites. 'The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,' Sharma said. Sharma is working to develop a 'smart' QR code called a SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams. But first, he needs buy-in from Google and Microsoft, the companies that build the cameras and control the camera infrastructure. Companies putting their logos into QR codes isn't a fix because it can cause a false sense of security, and that criminals can usually simply copy the logos, he said. Some Americans are wary of the increasing reliance on QR codes. 'I'm in my 60s and don't like using QR codes,' said Denise Joyal of Cedar Rapids, Iowa. 'I definitely worry about security issues. I really don't like it when one is forced to use a QR code to participate in a promotion with no other way to connect. I don't use them for entertainment-type information.' Institutions are also trying to fortify their QR codes against intrusion. Natalie Piggush, spokeswoman for the Children's Museum of Indianapolis, which welcomes over one million visitors a year, said their IT staff began upgrading their QR codes a couple of years ago to protect against what has become an increasingly significant threat. 'At the museum, we use stylized QR codes with our logo and colors as opposed to the standard monochrome codes. We also detail what users can expect to see when scanning one of our QR codes, and we regularly inspect our existing QR codes for tampering or for out-of-place codes,' Piggush said. Museums are usually less vulnerable than places like train stations or parking lots because scammers are looking to collect cash from people expecting to pay for something. A patron at a museum is less likely to expect to pay, although Sharma said even in those settings, fake QR codes can be deployed to install malware on someone's phone. Apple, Android user trust is an issue QR code scams are likely to hit both Apple and Android devices, but iPhone users may be slightly more likely to fall victim to the crime, according to a study completed earlier this year by Malwarebytes. Users of iPhones expressed more trust in their devices than Android owners and that, researchers say, could cause them to let down their guard. For example, 70% of iPhone users have scanned a QR code to begin or complete a purchase versus 63% of Android users who have done the same. Malwarebytes researcher David Ruiz wrote that trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know about) using additional cybersecurity measures, like antivirus. Fifty-five percent of iPhone users trust their device to keep them safe, versus 50 percent of Android users expressing the same sentiment. Low investment, high return hacking tactic A QR code is more dangerous than a traditional phishing email because users typically can't read or verify the encoded web address. Even though QR codes normally include human-readable text, attackers can modify this text to deceive users into trusting the link and the website it directs to. The best defense against them is to not scan unwanted or unexpected QR codes and look for ones that display the URL address when you scan it. Brewer says cybercriminals have also been leveraging QR codes to infiltrate critical networks. 'There are also credible reports that nation-state intelligence agencies have used QR codes to compromise messaging accounts of military personnel, sometimes using software like Signal that is also open to consumers,' Brewer said. Nation-state attackers have even used QR codes to distribute remote access trojans (RATs) — a type of malware designed to operate without a device owner's consent or knowledge — enabling hackers to gain full access to targeted devices and networks. Still, one of the most dangerous aspects of QR codes is how they are part of the fabric of everyday life, a cyberthreat hiding in plain sight. 'What's especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised. Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception,' Brewer said. Rob Lee, chief of research, AI, and emerging threats at the cybersecurity training focused SANS Institute, says that QR code compromise is just another tactic in a long line of similar strategies in the cybercriminal playbook. 'QR codes weren't built with security in mind, they were built to make life easier, which also makes them perfect for scammers,' Lee said. 'We've seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It's not panic-worthy yet, but it's exactly the kind of low-effort, high-return tactic attackers love to scale.'
