Avoiding scams seems a bit like whack-a-mole. As soon as you smack one away, another pops up, and one of the latest is quishing.
So what is it? Quishing is simple – scammers replace a legitimate QR code with a false one and then harvest data or steal money using the information we provide.
QR codes first became popular during the pandemic when we needed to scan to get into shops and restaurants, but now they are used for everything from ordering food to paying for parking.
The Royal Dutch Mint has even put them on the currency. Scan a QR code on a certain coin and it will direct you to the coin’s history and design.
What are QR codes?
Well, QR stands for quick response, and are basically fancy bar codes. The difference is that while barcodes contain information about the product they are on, QR codes can facilitate much more information including a locator, connections to a network, identifying information and web tracking.
They have been around for a few decades, but only became popular during the COVID pandemic.
However, the vast majority are used for providing consumer information, payments and menus.
Which is where the problems begin. Scammers are using fake ones. They can be sent electronically, but sometimes it’s as easy as putting a sticker with the dodgy code over the real one.
It works so well because unless you have advanced technological knowledge, one QR code looks very much like the next one.
Scanning
We are becoming much more aware of scammy emails and texts – looking at you Nigerian prince – but don’t hesitate to scan a QR code when it’s placed in front of us.
UK consumer advocate group Which? – the British equivalent of CHOICE – has named quishing as one of the top scams to look out for this year.
Think about the last time you used a QR code, what information did you hand over? For me it was my credit card details when paying for a meal. That could have been my most expensive night out ever if that data had got into the wrong hands.
I don’t check my credit card charges until it pops into my inbox. Scammers could have been using that information for weeks before I realised. Thankfully there is a limit on my credit card, but if I had used a direct debit card and they had accessed my main savings account the result could have been devastating.
Another favourite quishing tactic is to sign people up to ‘subscriptions’ they may not notice until the scammers have drained a considerable amount of money out of your account.
Services Australia
Quishing is much more prevalent overseas but is becoming more widespread in Australia.
Organisations that have been impersonated include Services Australia, Medicare, the Australian Taxation Office (ATO) and Microsoft.
QR codes often pass spam tests in emails because email filters are usually only looking for dangerous email addresses, not the contents of the email.
Damien Manuel, adjunct professor of cybersecurity at Deakin University, told CHOICE QR codes provide scammers with an easy way to hide malicious URLs in plain sight.
“We’re all being trained to look at a link now and go: is there a misspelling that makes it look like it’s not legit? But if I send it to you as a QR code, you’re probably not likely to spot it,” he says.
What can you do?
First up is to check if the code has been tampered with or if there is a sticker on the space.
It also pays to be suspicious. The ATO and myGov are never going to send you an email or text message with a QR code so just assume they are a scam.
The Australian Consumer and Competition Commission (ACCC) advises to be wary of QR codes from unexpected sources that want personal information such as passwords, location or access to your phone’s camera or microphone.
It also warns you should never download an app from a QR code and instead always go to an official app store and access it there.
If you believe you have been scammed, you should contact your financial institution immediately. You should also change your passwords.
Scamwatch also encourages you to report scams to the ACCC here. They will not be able to return any money to you but by providing information they can warn people about current trends, monitor trends and disrupt scams where possible.
Have you been scammed? Did you report it? Why not share your experience in the comments section below?
Also read: Branch closures and bank scams – is there a link?