Portal Login | Search
Cybersafe September 01, 2022

Quishing: A new scam you should be aware of

QR codes are one of the most prominent trends that have risen from the popularity of cashless transactions in recent years. The convenience it has brought to consumers is seemingly limitless.


For one, the risk of making errors in inputting account numbers to transfer money have been reduced given a user can simply scan another person’s QR code to complete the transaction. If a store offers a QR code as a mode of payment, then you just need to scan it using your phone’s camera and that’s it — you just transferred money from your bank account to another person.


However, technology can be a double-edged sword in that on the other side, this innovation has brought new ways for cybercriminals to scam other people. A new form of phishing, called “quishing”, has been circulating in cyberspace recently.


What is quishing?


You may have heard of phishing, which is basically a scam where a criminal pretends to be an authorized bank representative and tricks you into giving your personal data — such as One-Time Password (OTP). 


The usual modus operandi is that the criminal will claim you have problems in your bank account, and that you need to click a certain link (which directs you to a fake version of your bank’s website) and give your personal data to resolve the problem. Once the personal data has been placed in the website, criminals can use them to hack your account and steal your money.


Quishing works similarly with other forms of phishing, like smishing (a scam involving text messages) and vishing (a scam involving phone calls). A cybercriminal will send you an e-mail or text message to claim you have won a prize or you have problems with your accounts that need to be urgently addressed. These messages contain a QR code that you need to scan in order to access a website.


In that website, you will be asked to place your personal data so that you can collect your prize. However, that website is merely a front for cybercriminals to collect your data so that they can access your account and make fraudulent transactions to steal your money.


How can you prevent being a victim of quishing?


As with other forms of social engineering fraud (SEF), the best way to protect yourself is to be wary of people you do not know messaging you. Instead of paying attention to them, immediately block the unknown phone number and delete the e-mail containing the malicious QR code.


You should also never share your personal data, such as OTP, bank account numbers and credit card numbers, with anyone who is asking for it. If there are cases wherein someone is claiming to be a representative of your bank, you should double-check whether you are talking to an official channel of your bank.


Banks are making it easier to detect fraudulent messages as they are no longer sending links to their messages to you. If someone is claiming to be your bank and is asking you to click on the link given in that message, that is a sure-fire way of knowing a cybercriminal is there to trick you.


Doing transactions online has countless benefits, but there are some risks to it too. As such, the best way to protect yourself in cyberspace is to prevent unknown people from getting to see your personal data.