QR code phishing, also known as quishing, is a technique that tricks people into scanning a QR code. The QR code takes the user to a fraudulent website that might download malware or ask for sensitive information.
Scammers use emails that pose as credible companies and ask the user to scan the QR code in their email. For example, they may say that the user's payment from an online purchase did not go through, and they need to re-enter their credit card information by scanning the QR code.
QR code phishing is a challenging threat because it moves the attack channel from the protected email environment to the user's mobile device, which is often less secure. With QR codes, the URL is not exposed within the body of the email. This approach renders most email security scans ineffective.
Caution: Alarm.com does not use QR codes in emails (e.g., resetting passwords, viewing account information, etc.). If a suspicious email is received, do not scan the QR code and report the email as phishing.
Avoid phishing attacks
There are precautions that can be taken to avoid phishing attacks:
- Stay informed about new phishing techniques
- Verify From email addresses
- Think before clicking on any links or scanning QR codes
- Hover over links that you are unsure of before clicking on them to review the QR code's URL
- Install free phishing add-ons
- Do not give your information to an unsecured site
- If the URL of the website does not start with https or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site
Identify phishing emails
There are several factors that can be used to help identify phishing emails:
- Demanding urgent action
- Bad grammar and spelling mistakes
- Unfamiliar greeting or salutation
- Inconsistencies in email addresses, links, and domain names
- Emails requesting login credentials, payment information or sensitive data
- Suspicious attachments
- Too-good-to-be-true emails
It does not matter if you know the person who sent you the email or not. When viewing an email that is potentially dangerous, consider the following questions:
- Suspicious in any way?
- Telling you to click a link, button, or attachment?
- Offering something that’s too good to be true?
- Pushing you to do something quickly?