Beware of Quishing: QR Code Scams in Australia and How to Protect Yourself | CyberSecRad

In recent years, QR codes have become a staple of modern convenience, popping up everywhere from restaurant menus to parking meters and event check-ins. Their ease of use skyrocketed during the COVID-19 pandemic, enabling contactless interactions across Australia and beyond. However, this widespread adoption has caught the attention of cybercriminals, who are exploiting QR codes in a sophisticated phishing tactic known as “quishing” (a blend of QR code and phishing). This blog post explores how quishing scams are targeting Australians, the tactics scammers use, and practical steps you can take to stay safe.

What is Quishing?

Quishing is a form of phishing that uses malicious QR codes to trick users into visiting fraudulent websites or downloading malware. Unlike traditional phishing, which relies on suspicious email links or text messages, quishing hides malicious URLs within QR codes—those black-and-white squares you scan with your smartphone. When scanned, these codes can redirect you to fake websites designed to steal personal information, such as login credentials, banking details, or credit card numbers, or even install harmful software on your device. In Australia, quishing scams have surged, with the Australian Competition and Consumer Commission (ACCC) reporting over 28 QR code scams since 2020, resulting in losses exceeding AU$100,000. Scammers are targeting trusted services like myGov, Australia Post, and major banks, exploiting the familiarity and trust Australians place in QR codes.

How Quishing Scams Work in Australia

Quishing scams are particularly effective because QR codes obscure the destination URL, making it difficult to spot red flags before scanning. Here are some common tactics scammers use in Australia:

1. Tampered QR Codes in Public Spaces: Scammers place fake QR code stickers over legitimate ones on parking meters, restaurant tables, or public Wi-Fi signs. For example, a Melbourne resident might scan a QR code to pay for parking, only to be redirected to a fraudulent payment portal that captures their credit card details. Similar incidents have been reported in the U.S. and Europe, and Australia is seeing a rise in these schemes.
2. Phishing Emails and Texts: Scammers send emails or SMS messages impersonating trusted organizations, such as Services Australia or the Australian Taxation Office (ATO). These messages often urge users to scan a QR code to “update myGov details” or “claim Medicare rebates.” Scanning the code leads to a fake website designed to harvest personal information. Notably, neither myGov nor the ATO will ever send QR codes via email or text, so such messages are immediate red flags.
3. Fake Charity Appeals: Scammers create fraudulent QR codes posing as charities, especially during crises or holidays. These codes may appear on flyers or in emails, directing victims to fake donation pages that steal payment information.
4. Restaurant Menu Scams: Fraudsters place fake QR codes on restaurant tables, claiming to link to digital menus. Instead, scanning the code takes users to malicious sites that prompt them to enter personal or financial details or download malware.
5. Unexpected Packages: Some scammers send unsolicited packages with QR codes for “returns” or to “verify the sender.” Scanning these codes can lead to phishing sites that steal credentials or flood devices with malware.

These tactics exploit the trust Australians have in QR codes, especially since their use became second nature during the pandemic. The Australian Cyber Security Centre (ACSC) has noted a 51% global rise in quishing attacks, with Australia being a prime target due to its high adoption of QR code technology.

Why Quishing is So Dangerous

Quishing poses unique risks compared to traditional phishing:

• Hidden URLs: Unlike text links, QR codes don’t display the full URL before scanning, making it harder to spot misspellings or suspicious domains.
• Bypassing Security Filters: Many email security systems struggle to detect malicious links embedded in QR code images, allowing scams to slip through.
• Cross-Device Vulnerability: Employees may receive quishing emails on work devices but scan codes with personal phones, which often lack enterprise-level security, creating blind spots for organizations.
• Immediate Consequences: Scanning a malicious QR code can trigger instant malware downloads or lead to fake login pages that harvest credentials in real time.

Victims of quishing face risks like identity theft, financial fraud, and device compromise. For businesses, quishing can lead to data breaches, reputational damage, and loss of customer trust.

Real-Life Examples in Australia

• Services Australia Scam: Scammers sent emails impersonating Services Australia, urging users to scan a QR code to update myGov details. The code led to a fake site that stole personal information.
• ATO Phishing Emails: The ATO reported phishing emails with QR codes claiming to offer tax refunds. These codes directed users to malicious sites mimicking official ATO portals.
• Parking Meter Fraud: In some Australian cities, fake QR code stickers have been found on parking meters, redirecting payments to scammers. This mirrors incidents in Austin, Texas, where drivers unknowingly paid fraudsters.
• Restaurant Scam: A Victorian resident scanned a QR code for a restaurant menu, only to be taken to a site requesting personal details. The code was a sticker placed over the legitimate one.

These cases highlight how scammers exploit everyday scenarios, making vigilance critical.How to Protect Yourself from Quishing in AustraliaTo stay safe from quishing scams, adopt these practical measures:

1. Inspect QR Codes Before Scanning:
   • Check for tampering, such as stickers placed over original codes on parking meters or signs.
   • Avoid scanning codes in unexpected places, like flyers in your mailbox or on street poles.
   • Confirm with staff at restaurants or businesses before scanning codes for menus or payments.
2. Verify the URL After Scanning:
   • After scanning, check the displayed URL before proceeding. Look for misspellings, extra characters, or unusual domains (e.g., “myg0v.com” instead of “mygov.gov.au”).
   • Ensure the site uses HTTPS and displays a green lock icon in your browser.
   • If the URL seems unrelated to the expected content (e.g., a menu QR code leads to a login page), exit immediately.
3. Be Skeptical of Unsolicited QR Codes:
   • Never scan QR codes from unknown emails, texts, or social media messages, especially those with urgent language or offers that seem too good to be true.
   • Know that government agencies like myGov and the ATO never send QR codes via email or SMS. Treat such messages as scams.
4. Use Secure QR Code Scanners:
   • Use a trusted QR code scanner app that previews URLs before opening them, rather than your phone’s default camera.
   • Keep your QR scanning app and device software updated to patch security vulnerabilities.
5. Enhance Device Security:
   • Install reputable antivirus software, like Norton 360 Deluxe, to detect and block malicious sites or malware.
   • Enable multi-factor authentication (MFA) on your accounts to reduce the risk if credentials are stolen.
   • Use strong, unique passwords for each account and avoid reusing them.
6. Limit Permissions:
   • Restrict QR scanning apps from accessing unnecessary data, like your contacts, location, or microphone.
   • Be cautious if a scanned QR code requests permissions beyond what’s needed (e.g., a menu site asking for location access).
7. Educate Yourself and Others:
   • Stay informed about quishing tactics through resources like Scamwatch or the Australian Cyber Security Centre (ACSC).
   • Share knowledge with family, friends, and colleagues to raise awareness.
   • Businesses should train employees to recognize quishing and avoid scanning unverified codes on work or personal devices.
8. What to Do If You Scan a Malicious QR Code:
   • Disconnect from the internet immediately to prevent data theft or malware installation.
   • Run an antivirus scan to detect and remove threats.
   • Change passwords for affected accounts and enable MFA.
   • Contact your bank if financial details were entered and monitor accounts for suspicious activity.
   • Report the scam to Scamwatch, your local police, and the Australian Cyber Security Hotline (1300 CYBER1).

Tips for Businesses Using QR Codes

Australian businesses relying on QR codes should take proactive steps to protect customers and their reputation:

• Audit QR Codes Regularly: Check public-facing QR codes for tampering and ensure they link to secure, branded domains.
• Use Secure Links: Host QR codes on verified landing pages with trackable, custom short URLs.
• Add Digital Signatures: Incorporate watermarks or signatures in QR code designs to deter tampering.
• Educate Staff: Train employees to spot quishing attempts and report suspicious codes.
• Inform Customers: Display clear instructions on how to verify legitimate QR codes, such as checking URLs or confirming with staff.

The Future of QR Code Safety in Australia

As QR codes remain integral to Australia’s cashless and contactless economy, quishing scams are likely to evolve. Cybersecurity experts predict scammers will use advanced tactics, such as redirecting links through legitimate services or embedding codes in trusted apps. Staying vigilant and adopting robust security practices will be crucial for individuals and businesses alike.

Consumer advocacy group CHOICE has warned that quishing could become one of 2024’s biggest scams, a trend already evident in the UK and US. By fostering a culture of skepticism and prioritizing cybersecurity, Australians can enjoy the convenience of QR codes without falling prey to scammers.

In conclusion, quishing is a growing threat in Australia, exploiting the trust we place in QR codes to steal personal and financial information. From fake parking meter codes to phishing emails impersonating myGov, scammers are using creative tactics to catch victims off guard. By inspecting QR codes, verifying URLs, using secure apps, and staying informed, you can significantly reduce your risk. If you suspect a quishing scam, act quickly to secure your accounts and report it to authorities.

Next time you reach for your phone to scan a QR code, pause and think: Is this code legitimate? A moment of caution could save you from becoming a victim of quishing. Stay safe, Australia!