Latest news with #quishing
Yahoo
18-07-2025
- Business
- Yahoo
Is that QR code actually a scam? Here's what to know about 'quishing' before you scan
If it seems like QR codes are everywhere these days, that's because, well, they are. Thanks to a surge in popularity during the COVID-19 pandemic, these scannable codes are being used by businesses and brands for everything from payments and registrations to advertising and information. You'll see them in restaurants in place of paper menus, on product packaging, on signposts, on parking meters — and even on trees. But with success comes cybercrime — or in this case, QR code "quishing" (think phishing ... with a q). Just this week, the agency in charge of Montreal's parking meters warned of potentially fraudulent QR codes posted on its signs that might direct people to malicious websites. Last year, a similar warning was issued in Ottawa, and officials warned people who may have scanned them to check their credit card information. As cases of QR code fraud are starting to pop up, and with some officials warning consumers to take pause, you may be wondering if it's ever safe to scan those familiar little black and white squares and follow the link. With that in mind, here's what you need to know about QR code scams and how to avoid them. What are QR codes? QR codes, or quick response codes, are a type of bar code that's scannable by digital devices like smartphones through their camera lens. They typically contain information, such as a link to a website. One of the most popular uses is for payment, where the market is expected to reach $35.07 billion US globally by 2030, with a 16.1 per cent compound annual growth rate, according to a 2024 report by Allied Market Research. But just as the report predicted "massive adoption" of QR codes for payment, it noted that "rising data breaches and security issues limit the growth." How do the scams work? It's called "quishing," and experts have warned it can be highly effective when the codes are posted in credible places. "QR code usage is so commonplace, and many users just scan them and hardly pay attention to where they're going," said Tom Arnold, a cybersecurity expert who lectures on digital forensics and incident response at San Jose State University and the University of Nevada, Las Vegas. QR codes can be stuck on public signs, defaced websites, phishing emails, text messages and even placed into photo images, Arnold, who is also a digital forensics investigator, told CBC News. They're a "great way" for attackers to hide the URL or location they're sending people to, Arnold said. Fraudsters claiming to be a service provider, government agency or financial institution use QR codes in various scams to steal personal information, money or both, the Canadian Anti-Fraud Centre (CAFC) explained in an email. "Similar to fraudulent links or URLs, QR codes can be inserted into emails and texts to direct potential victims to fraudulent or malicious websites," a CAFC spokesperson said. WATCH | Fake QR codes are popping up on Montreal parking meters: Have there been many cases? In 2023, the U.S. Federal Trade Commission warned consumers that scammers are hiding harmful links in QR codes to steal personal information, using everything from parking meters to text messages. Last year, the Canadian Centre for Cyber Security, part of Communications Security Establishment Canada, issued a similar warning in a publication on security considerations for QR codes, saying there's a potential for "threat actors to leverage QR codes to infect devices with malware, steal personal information, or conduct phishing scams." The Canadian Banking Association also warns about potential QR code scams. That said, there haven't been a lot of cases in Canada, although experts say that could change. The CAFC said it's had just 10 reports related to QR code phishing since 2024. CBC News has previously reported on two recent incidents: the parking meters with fraudulent QR codes in Montreal and Ottawa. And last August, the RCMP in Red Deer, Alta., warned residents of QR code scams, saying in a news release it discovered some recent cases of QR codes that, when scanned, bring the user "to a website that contains malware. This malware can obtain your banking information and other sensitive information." In one case, someone had received a package of luxury goods that they had not ordered, the RCMP said, and when they opened the package, there was an attached note directing them to scan the QR code. Could it get worse? Kwasi Boakye-Boateng, deputy director of research and training with the Cyber Attribution Data Centre, located at the University of New Brunswick's Canadian Institute for Cybersecurity, said he thinks QR code scams are poised to become a major problem. "I wouldn't be surprised if it's something that's catching on now. It's because no one is paying attention to it. And usually attackers would always find the easiest means to acquire any information that would give them a financial advantage," Boakye-Boateng said in an interview. It's also become easy for people to design apps, tools and websites that look legitimate, especially using artificial intelligence, he said. And if the scammer is well resourced, it may not even be possible to trace it back to them, Boakye-Boateng said. "They can cover their tracks." LISTEN | Could that QR code menu be a scam?: What are the warning signs? Experts say you should carefully check the URL of where the QR code is directing you, since that can indicate whether it's a potential scam. Hovering over the code with your camera without actually clicking will usually show you the link, the CAFC said. For instance, Arnold said, the URL for a fraudulent QR code that looks like it's sending you to TD Bank might look like this: Adding a bunch of %20s allows the attacker to hide the fact they're actually sending you to he explained. Any enticement that uses a sense of urgency is an immediate red flag, Arnold said, such as a QR code to buy last-minute tickets for a concert. In general, any unsolicited message of any type that prompts a user to scan a code should be considered a risk, he said, and lone QR codes that are just stuck on a wall or light post should never be scanned. Some scammers will place stickers over legitimate QR codes in public spaces, like on parking meters and posters. As a safe practice, try scratching the code or scraping your fingernail over it to see if it might have been pasted on, Boakye-Boateng said. If you think you've fallen victim to a scam, call the police, he said. "You have to be very diligent now."
CBC
18-07-2025
- Business
- CBC
Is that QR code actually a scam? Here's what to know about 'quishing' before you scan
If it seems like QR codes are everywhere these days, that's because, well, they are. Thanks to a surge in popularity during the COVID-19 pandemic, these scannable codes are being used by businesses and brands for everything from payments and registrations to advertising and information. You'll see them in restaurants in place of paper menus, on product packaging, on signposts, on parking meters — and even on trees. But with success comes cybercrime — or in this case, QR code "quishing" (think phishing ... with a q). Just this week, the agency in charge of Montreal's parking meters warned of potentially fraudulent QR codes posted on its signs that might direct people to malicious websites. Last year, a similar warning was issued in Ottawa, and officials warned people who may have scanned them to check their credit card information. As cases of QR code fraud are starting to pop up, and with some officials warning consumers to take pause, you may be wondering if it's ever safe to scan those familiar little black and white squares and follow the link. With that in mind, here's what you need to know about QR code scams and how to avoid them. What are QR codes? QR codes, or quick response codes, are a type of bar code that's scannable by digital devices like smartphones through their camera lens. They typically contain information, such as a link to a website. One of the most popular uses is for payment, where the market is expected to reach $35.07 billion US globally by 2030, with a 16.1 per cent compound annual growth rate, according to a 2024 report by Allied Market Research. But just as the report predicted "massive adoption" of QR codes for payment, it noted that "rising data breaches and security issues limit the growth." How do the scams work? It's called "quishing," and experts have warned it can be highly effective when the codes are posted in credible places. "QR code usage is so commonplace, and many users just scan them and hardly pay attention to where they're going," said Tom Arnold, a cybersecurity expert who lectures on digital forensics and incident response at San Jose State University and the University of Nevada, Las Vegas. QR codes can be stuck on public signs, defaced websites, phishing emails, text messages and even placed into photo images, Arnold, who is also a digital forensics investigator, told CBC News. They're a "great way" for attackers to hide the URL or location they're sending people to, Arnold said. Fraudsters claiming to be a service provider, government agency or financial institution use QR codes in various scams to steal personal information, money or both, the Canadian Anti-Fraud Centre (CAFC) explained in an email. "Similar to fraudulent links or URLs, QR codes can be inserted into emails and texts to direct potential victims to fraudulent or malicious websites," a CAFC spokesperson said. WATCH | Fake QR codes are popping up on Montreal parking meters: Fake QR codes are popping up on meters — don't scan them, says Montreal parking agency 2 days ago Have there been many cases? In 2023, the U.S. Federal Trade Commission warned consumers that scammers are hiding harmful links in QR codes to steal personal information, using everything from parking meters to text messages. Last year, the Canadian Centre for Cyber Security, part of Communications Security Establishment Canada, issued a similar warning in a publication on security considerations for QR codes, saying there's a potential for "threat actors to leverage QR codes to infect devices with malware, steal personal information, or conduct phishing scams." The Canadian Banking Association also warns about potential QR code scams. That said, there haven't been a lot of cases in Canada, although experts say that could change. The CAFC said it's had just 10 reports related to QR code phishing since 2024. CBC News has previously reported on two recent incidents: the parking meters with fraudulent QR codes in Montreal and Ottawa. And last August, the RCMP in Red Deer, Alta., warned residents of QR code scams, saying in a news release it discovered some recent cases of QR codes that, when scanned, bring the user "to a website that contains malware. This malware can obtain your banking information and other sensitive information." In one case, someone had received a package of luxury goods that they had not ordered, the RCMP said, and when they opened the package, there was an attached note directing them to scan the QR code. Could it get worse? Kwasi Boakye-Boateng, deputy director of research and training with the Cyber Attribution Data Centre, located at the University of New Brunswick's Canadian Institute for Cybersecurity, said he thinks QR code scams are poised to become a major problem. "I wouldn't be surprised if it's something that's catching on now. It's because no one is paying attention to it. And usually attackers would always find the easiest means to acquire any information that would give them a financial advantage," Boakye-Boateng said in an interview. It's also become easy for people to design apps, tools and websites that look legitimate, especially using artificial intelligence, he said. And if the scammer is well resourced, it may not even be possible to trace it back to them, Boakye-Boateng said. "They can cover their tracks." What are the warning signs? Experts say you should carefully check the URL of where the QR code is directing you, since that can indicate whether it's a potential scam. Hovering over the code with your camera without actually clicking will usually show you the link, the CAFC said. For instance, Arnold said, the URL for a fraudulent QR code that looks like it's sending you to TD Bank might look like this: /TDlogin. Adding a bunch of %20s allows the attacker to hide the fact they're actually sending you to he explained. Any enticement that uses a sense of urgency is an immediate red flag, Arnold said, such as a QR code to buy last-minute tickets for a concert. In general, any unsolicited message of any type that prompts a user to scan a code should be considered a risk, he said, and lone QR codes that are just stuck on a wall or light post should never be scanned. Some scammers will place stickers over legitimate QR codes in public spaces, like on parking meters and posters. As a safe practice, try scratching the code or scraping your fingernail over it to see if it might have been pasted on, Boakye-Boateng said. If you think you've fallen victim to a scam, call the police, he said. "You have to be very diligent now."
The Independent
20-06-2025
- The Independent
Major warning issued over car park QR code scams amid rise in ‘quishing'
Criminals are using fraudulent QR codes in car parks to steal personal and financial information, Action Fraud has warned. Almost £3.5 million has been lost due to QR code scams with more than 780 reports of 'quishing' made to the UK's national reporting centre for fraud and cybercrime between April 2024 and April 2025. Also known as QR code phishing, 'quishing' is a type of cyberattack where QR codes are used to trick individuals into visiting fraudulent websites or downloading malware. Fraudulent QR codes are most frequently used in car parks, with criminals using stickers to tamper with the scan codes already in place on parking machines. The scam is also used on online shopping platforms, where sellers received a QR code via email to either verify accounts or to receive payment for sold items. Some phishing attacks impersonate HMRC, or other UK government schemes, targeting people with QR codes designed to steal personal and financial details, reports show. People are being asked to stay vigilant and double-check QR codes to see if they are malicious, or have been tampered with, before scanning them online or in public spaces. Claire Webb, Acting Director of Action Fraud, said: 'QR codes are becoming increasingly common in everyday life, whether it's scanning one to pay for parking, or receiving an email asking to verify an online account. However, reporting shows cyber criminals are increasingly using quishing as a way to trick the public out of their personal and financial information. 'We're urging people to stop and check before scanning QR codes, to avoid becoming a victim of quishing. Look out for QR codes that may have been tampered with in open spaces, or emails and texts that might include rogue codes. If you're in doubt, contact the organisation directly.' Although QR codes used in pubs and restaurants are usually safe to scan, ones in open spaces like train stations or car parks, might pose a greater risk. Action Fraud suggests checking for signs that codes may have been tampered with, such as a sticker placed over a legitimate QR code. If you are unsure, it's best to not scan the QR code at all and instead find the official website or app of the organisation you are trying to make the payment to. If you receive an email with a QR code in it, and you're asked to scan it, you should be cautious due to an increase in these types of 'quishing' attacks. Another precaution to take is to always use the QR scanner that comes with your phone, rather than using an app downloaded from an app store, because it is more secure.
Yahoo
25-05-2025
- Yahoo
‘Pay here': the QR code ‘quishing' scam targeting drivers
You park the car and look for somewhere to pay. A large QR code on the machine offers to take you directly to the right website where you put in your card details before going on with your day. Only much later are you hit with the double whammy: money gone from your account, and a fine for not paying the genuine parking company. The rise in app- and phone-based parking payment has opened a new frontier for fraudsters: quishing – so called because they are phishing attacks that start with a QR code. The fraudsters stick the codes in places where you would expect to see details of how to pay to park. When you scan one, it takes you to a site where you are asked for your payment details – as you would expect when booking parking. One victim who scanned a code in a station car park told the BBC that the fraudsters tried to take payments then posed as her bank to get more information from her, before running up £13,000 worth of debt in her name. Last year, the UK's Action Fraud received 1,386 reports of scams involving QR codes – a small number, but more than double that in the previous year. In just the first three months of 2025 there were 502, suggesting the problem is growing. Chris Ainsley, the head of fraud risk management at Santander UK, says it is hard to get a full picture of the scale of the fraud. 'Unless drivers receive a parking ticket, a lot of people are unaware that their personal or card details were compromised in this way,' he says. 'When it comes to reporting the eventual scam, often the fact that it originated through quishing goes undocumented.' A QR code where you might expect to see one – on a parking charge machine, on a post in a car park or sometimes on a public EV charger. The code will be on a sticker. The website will ask for your payment details. It will also ask for your car details, but that is likely to be just an attempt to convince you it is a legitimate parking website. You may later get a call from someone pretending to be from your bank who will use the information you have given and tell you that you have been defrauded and need to move your money to a safe account. The safe account is actually in the control of the scammers. Do not do as they ask – your real bank would never request this. Be suspicious of any QR code on a parking payment machine or signpost in a car park. Check that it has not been stuck over a legitimate code. If you have the right parking app already on your phone, use that rather than scanning a code. Use cash or a card to pay at a machine if those are an option. Check the URL of the website before you click on it – it should appear on your phone as you scan the code. Do not click on it if it looks suspicious. When you land on a page through a QR code, check details to make sure it is not a fraudulent version. Giveaways include weird URLs and bad spelling. Check that the URL includes HTTPS, rather than HTTP, before handing over details. Keep an eye on your bank account and report any suspicious payments to your bank. Report the scam to the local council, police and car park owner if it is a private company. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
The Guardian
25-05-2025
- The Guardian
‘Pay here': the QR code ‘quishing' scam targeting drivers
You park the car and look for somewhere to pay. A large QR code on the machine offers to take you directly to the right website where you put in your card details before going on with your day. Only much later are you hit with the double whammy: money gone from your account, and a fine for not paying the genuine parking company. The rise in app- and phone-based parking payment has opened a new frontier for fraudsters: quishing – so called because they are phishing attacks that start with a QR code. The fraudsters stick the codes in places where you would expect to see details of how to pay to park. When you scan one, it takes you to a site where you are asked for your payment details – as you would expect when booking parking. One victim who scanned a code in a station car park told the BBC that the fraudsters tried to take payments then posed as her bank to get more information from her, before running up £13,000 worth of debt in her name. Last year, the UK's Action Fraud received 1,386 reports of scams involving QR codes – a small number, but more than double that in the previous year. In just the first three months of 2025 there were 502, suggesting the problem is growing. Chris Ainsley, the head of fraud risk management at Santander UK, says it is hard to get a full picture of the scale of the fraud. 'Unless drivers receive a parking ticket, a lot of people are unaware that their personal or card details were compromised in this way,' he says. 'When it comes to reporting the eventual scam, often the fact that it originated through quishing goes undocumented.' A QR code where you might expect to see one – on a parking charge machine, on a post in a car park or sometimes on a public EV charger. The code will be on a sticker. The website will ask for your payment details. It will also ask for your car details, but that is likely to be just an attempt to convince you it is a legitimate parking website. You may later get a call from someone pretending to be from your bank who will use the information you have given and tell you that you have been defrauded and need to move your money to a safe account. The safe account is actually in the control of the scammers. Do not do as they ask – your real bank would never request this. Be suspicious of any QR code on a parking payment machine or signpost in a car park. Check that it has not been stuck over a legitimate code. If you have the right parking app already on your phone, use that rather than scanning a code. Use cash or a card to pay at a machine if those are an option. Check the URL of the website before you click on it – it should appear on your phone as you scan the code. Do not click on it if it looks suspicious. When you land on a page through a QR code, check details to make sure it is not a fraudulent version. Giveaways include weird URLs and bad spelling. Check that the URL includes HTTPS, rather than HTTP, before handing over details. Keep an eye on your bank account and report any suspicious payments to your bank. Report the scam to the local council, police and car park owner if it is a private company.
