With the holidays here, cybercriminals see this season as the perfect opportunity to take advantage of all the bustle and gain access to personal information, steal money and credit card information, and compromise accounts (certainly landing themselves on the naughty list).
While you should always practice online safety and security throughout the year, Information Technology Services wants to encourage everyone to take extra precautions during the holidays — especially if you drop your guard when you get excited about scoring a hard-to-find gift or a great deal.
Scammers are always trying to find ways to trick innocent consumers into providing information, but one of the latest tricks is QR Code phishing, or quishing, and it’s considered the next best thing in social engineering.
Quishing is when a person receives an email with a QR code or scans a QR code, which opens the door for criminals to get them to share their personal information or download malware onto their devices.
What You Should Know
- Quishing works just like traditional phishing. The scammers ask for information like your username and password or a Two-Factor Authentication (2FA) code. The only difference is the request is made through a QR code.
- Practicing online safety and security year-round is important to keep yourself protected. Increasing your awareness during the holidays is necessary to combat cybercriminals increasing their attacks.
- Legitimate businesses do not send emails asking you to confirm your purchase or account information. Do not send your personal information by email or through a link in an email.
What You Should Do
- Delete emails from strangers. Criminals send emails with links or attachments designed to scam you.
- Never give out or share your username and password or provide a 2FA code. Criminals use the information to compromise your account.
- In person, check QR codes to make sure they have not been tampered with or have not been covered up with stickers. Criminals will cover legitimate QR codes with fake ones.
- Check to make sure a site is legitimate before you share your information, including your address and payment method.
Best Practices
- Always check links to make sure they are legitimate. Whether it is a QR code or a link in an email, examine the URL to make sure it goes to the correct site. Scammers often misspell the correct site’s name by changing a letter or two.
- Use a different username and password for every site you make purchases, and use 2FA if available.
- Make sure the site you are using is secure and your information is encrypted. The URL should start with https and show a padlock icon that is closed.
- Never scan QR codes from strangers whether in person or in an email.
Taking these simple steps can ruin the holidays for scammers, and help you have a happy and safe holiday season.
The above information about quishing and online holiday safety and security was compiled from Cybersecurity & Infrastructure Security Agency (CISA), Microsoft, SANS, and the National Cybersecurity Alliance.