Quishing on the Rise: How Cybercriminals Exploit QR Codes

In 2022, the U.S. Federal Bureau of Investigation issued a public service announcement warning of cybercriminals tampering with QR codes to steal banking data through fake codes at parking meters, charging stations, and stores. Since then, this type of attack, known as “quishing,” has grown increasingly rampant, according to the National Cybersecurity Center.

QR codes have become a part of everyday life, simplifying payments, access to information, and performing online transactions. However, because they are generated without controls or oversight, QR codes have become a prime vector for cyberattacks.

According to Iskander Sanchez-Rola, Director of Innovation for Norton, this practice initially began in the United States but has gained ground in Mexico. He told Expansión that the placement of fake QR codes has been detected in parking meters, electric vehicle charging stations, and businesses, both physical and online. According to him, this type of phishing has been successful because it is being placed in environments that users typically trust.

“By scanning these codes, [users] unknowingly access fake pages that aim to extract sensitive information, such as banking credentials,” said Sanchez-Rola.

According to Meta Compliance, this type of phishing works when a user scans a QR code and is redirected to a web page or application that mimics a trusted entity, such as a bank or an e-commerce platform. On this page, the user is asked to enter sensitive information, such as login credentials, bank details, or personal information to extract their information.

The information is collected by attackers, who can use it for unauthorized account access, identity theft, or financial fraud. In some cases, these fake sites also attempt to install malware on the victim's device, further compromising their security.