What is quishing?

Quishing, short for QR code phishing, exploits the growing pervasiveness of QR codes in financial transactions. QR codes are machine-readable data formats that are useful for anything that needs to be scanned automatically. They have grown increasingly popular, and we now see QR codes used in a variety of settings. You may have seen them at restaurants that discontinued physical menus. These codes offer the convenience of directing a user to a specific webpage with the use of their own personal device. However, like many tech conveniences, they have become a target for cybercriminals seeking to deceive unsuspecting users. Imagine a scenario where a member scans a seemingly innocent QR code, only to unknowingly divulge sensitive information or grant access to malicious software. That's the crux of quishing. Credit unions must grasp the complexities of this threat to protect their members effectively.

How does quishing work?

Understanding how quishing works is vital. Scammers manipulate legitimate-looking QR codes, often placing them in high-traffic areas or embedding them in fraudulent emails. The goal is to manipulate users with seemingly legitimate looking QR codes. These codes can redirect users to fake websites or prompt downloads of malware, compromising sensitive data. Users may be tricked into providing personal or financial information to the bad actor. QR codes are accessed through phones and create a bigger vulnerability for the user in the absence of desktop or email software that scans for spam. Because QR codes utilize the user’s mobile device camera to read the data, it becomes problematic if the code directs to a malicious website. With no additional safety nets in place, the only thing stopping a hacker’s payload is the user's judgement.

How can quishing be harmful?

The repercussions of quishing attacks are severe. Members face potential financial losses and identity theft. For credit unions, these incidents damage trust and tarnish reputations. As financial guardians, it's imperative to educate members about the risks and reassure their confidence with your credit union. Implementing robust security measures, such as multi-factor authentication and real-time monitoring, can strengthen your credit union’s defenses against quishing attacks.

How can we protect against quishing?

How can we help our membership in the face of a new cyber threat? The simplest remedy is to avoid QR codes. Some cybersecurity officials recommend only scanning QR codes when you are in person and able to verify the image with the owner. This is not always an option. Instead, you can advise members to verify the source of the QR code. With most quishing incidents occurring through email, the same rules for phishing caution apply. If any part of the sender’s name, email domain, signature, branding, or language in the body of the email seems “off,” don’t trust the QR code. Reinforce the message to not open links from strangers. A QR code is a graphic link to a website. Members should be reminded if they receive an unsolicited message from a stranger that includes a QR code, they should not trust it.

Educate your members about this emerging fraud threat. Just as we have all adapted to educating membership about email phishing, phone phishing (vishing), and SMS fraud (smishing), we must add quishing fraud to our awareness and education campaigns. As custodians of financial well-being, credit union professionals must prioritize member education and adopt stringent security protocols to counter quishing. By staying vigilant, fostering awareness through education, and implementing protective measures, we can collectively fortify our defenses against this evolving threat, safeguarding our members, and preserving the integrity of our institutions.

For more information, check out the BBB’s article on quishing.