Phishing is when a Cyber attacker tries to get your Marist, banking, social media, or other login information by enticing you through various means to click on a link that goes to a malicious website. Smishing is a similar tactic, where the original communication comes in through text message. And there is also Vishing, where you get a phone call that ultimately leads to stealing your credentials.

Quishing is a similar tactic, but uses a QR code instead of link to lead to a malicious site. If you look at postings here at Gone Phishing, you can see some recent examples.

Why do attackers use QR codes?

• Less common than phishing - phishing is more common, and people know to always be suspicious of links (especially unfamiliar ones) in email. Quishing is still relatively new, and Cyber attackers believe that people are more likely to fall for it.
• Harder to detect - common email protection tools are less likely to flag a QR code as malicious. The tools are very good at blocking emails with malicious links, but a QR code is an embedded image and is more likely to be allowed through most detection tools.
• Mobile devices have less protection - Most quishing arrives in work email, and business desktops usually have strong protection against malware, phishing, viruses, and other computer threats. QR codes require a smartphone or mobile device with a camera, and these devices are often personally-owned and do not have strong protection against Cyber threats.

What to do:

• Never scan a QR code in an email from an unfamiliar sender. (Is the sender familiar? You can call them to make sure the email is legitimate!)
• Look for other indicators of phishing, such as a sense of urgency, small spelling and grammar erros in the email, and an unknown sender's address.
• Most devices show a preview of the URL when scanning the code. Don't open an unfamiliar link, and look for misspellings in the website name.
• If the QR code takes you to a page that asks for your login credentials, never enter them there. If you think there might be a legitimate concern with a purchase, delivery, or online account, visit the company’s website directly in your browser or call the business by phone
• Learn more - see this informative blog post: https://www.mail.com/blog/posts/what-is-quishing/193/ and this posting from the Better Business Bureau: https://www.bbb.org/article/news-releases/27342-bbb-scam-alert-fraudulent-qr-codes-continue-to-be-used-in-a-variety-of-scams