If you are reading this page, you most likely scanned a QR code that redirected you here from another website. If so….
Congrats! You’ve been Quished!!!
My name is Shawn Janzen, a Professorial Lecturer at The American University Kogod School of Business. One of my areas of work involves the human side of cybersecurity. The QR code you scanned that brought you to this page is part of an effort to raise awareness about the dangers of scanning QR codes and how we can all be safer in a digital world where is it increasingly hard to spot the bad actors. Please read this page to learn more.
I’d greatly appreciate if you left the page, sticker, etc. that had the QR code as you found it for the next person. Please note, I am not collecting any personal information from your QR scan. I only use a tracker that tells me the the number of times the QR code was scanned, I do not collect information about the device or user scanning it. I’m happy to talk more with you about QR codes and Quishing (QR phishing). You can find me at AU Kogod or email me: janzen@american.edu.
You failed my QR code test. If I had malicious intent, I would likely be compromising your device right now and wrecking havoc. Through your device and data on your device, I might also be gaining access to your employer’s networks, accounts, and other data, as well as those of your friends and family.
I could be posting to your social media, sending calls & texts from your device, running programs on your device or wipe it entirely. I could install content on your device that just lives there, monitoring your activity, sending me anything you type including passwords can copies of your two-factor authentication (2FA) text messages.
I could then pretend to be you when contacting companies, committing identity theft and locking you out of your accounts. I could make purchases on your behalf, from opening other phone lines and new accounts with other companies for me to commit crimes under your name. I could start trolling hate speech and other vile things on your social media or spam it from your work email, perhaps posting pornographic content too. Maybe you’d get it sorted in time before getting fired from work and I leave you with a mountain of debt.
Additionally, I could use it to develop profiles on your friends, family, and colleagues, so that I may spear phish them and continue my chaos.
Asking you to completely not use QR codes might be unreasonable or unavoidable.
Next time:
- Avoid scanning QR codes unless you are sure they’re safe — at least safe enough that you are willing to risk all the information on your device.
- Be particularly cautious if you see QR code stickers placed atop easily accessible spots, such as on delivered packages, restaurant tables/menus, check-in desks at places you go like school, the bank, or shops. People who work there might not notice someone put a QR sticker atop the correct one or where there wasn’t one before but seems innocent looking. So ask someone before you scan and approve, else it’s too late.
- If a QR code should take you to a website, that website’s full URL should be printed next to the QR code. Check that URL against the one that should pop-up on your phone before you approve going to that website.
- Even better, don’t scan the QR code and try going to the site directly on your device by typing in the URL or using a search feature to find it.
These steps are not foolproof, but they do help add a layer of protection as good “cyber hygiene” behaviors.
If you make and share your own QR codes, you should also include the full URL with it and/or state what the QR code should do (e.g., open a specific app). Know that if your QR code is printed somewhere, like a flyer or placed on a table, that I could just as easily make a sticker to go atop your QR code and take control.
Still not convinced? Never heard of quishing that I might be making it up? Check out a few quishing attack headlines.
Be skeptical! Be safe online!
If you want to learn more staying safe online, share your thoughts, or complain about being tricked, you can find me at The American University Kogod School of Business where I teach analytics and conduct cybersecurity research (Profile link).