Preventing Quishing Attacks

Preventing Quishing Attacks

QR code parking scams on the rise

Councils across the UK are reporting an increase in malicious QR code stickers being placed on parking ticket machines. Councils such as Conway and West Northamptonshire are actively removing these stickers and urging locals to remain vigilant. The use of malicious QR codes is attractive to fraudsters because they are simple to use and difficult to distinguish from legitimate ones. Some campaigns take victims directly to a seemingly legitimate parking payment page to capture financial information or a direct payment, whereas another tactic is to use the details provided to enrol the victim to a costly subscription that is complicated to cancel. Potential indicators that a QR code might be fraudulent include peeling edges and poor quality, and the URL the QR codes directs to may not relate to the expected parking company or council.

Quishing attacks such as the above have recently been found in Scotland where QR Codes have been found across Edinburgh where they led members of the public to an online payment site.

How to prevent quishing attacks

QR CODE

Phishing is a cybercrime in which a target or targets are contacted through email, by someone posing as a legitimate organisation to lure individuals and companies into providing sensitive data. A form of phishing is quishing, which uses QR codes to lure you to nefarious websites. As with any type of phishing, the best defence against quishing attacks is to be aware of the threat. Organisations and individuals should follow the following tips to avoid falling prey to this scam:

Never scan a QR code from an unfamiliar or unexpected email.

If you receive a QR code from a trusted contact via email, confirm via a separate medium e.g., text message, voice call, etc., that the message is legitimate.

Stay alert for hallmarks of phishing campaigns, such as a sense of urgency and appeals to your emotions - e.g., sympathy, fear, etc.

Review the preview of the QR code's URL before opening it to see if it appears legitimate. You can do this by opening your mobile device camera and pointing this at the QR code. This will identify the webpage link and provide the site address the code will take you to. Make sure the website uses HTTPS rather than HTTP, doesn't have obvious misspellings and has a trusted domain.

Don't click on unfamiliar or shortened links.

Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.

Consider using a password that’s made up of three random words, you’re creating a password that will be strong enough to keep the criminals out, but easy enough for you to remember.

Never use the same password for more than one account.

Organisations should also consider additional security controls that can help combat multiple types of phishing attacks and mitigate the damage if one is successful. These include the following:

Allow-listing and block-listing.

Anti-spam filters.

Strong email security policies.

Strong password policies.

Multi-factor authentication.

Anti-malware software.

Email security gateways.

Threat intelligence services.

Advice for victims of quishing attacks:
If you or someone you know has been a victim of a quishing attack, don’t feel embarrassed, help and support is available.

1.Contact the Police. The police will take your case seriously and will deal with it in confidence.
2.Report to National Cyber Security Centre (NCSC). NCSC is a UK government organisation that has the power to investigate and take down scam email addresses and websites. If you have received an email which you’re not quite sure about, forward it to report@phishing.gov.uk

Reply to this message

Message Sent By
Nick Porter
(Police Scotland, Police Constable - Prevention, Intervention and Partnerships, E Div - Edinburgh City)