Cybersecurity News that Matters

Cybersecurity News that Matters

Qshing: The rising threat of QR code-based phishing

Designed by Daeun Lee, The Readable

by Minkyung Shin

Jun. 26, 2024
11:33 PM GMT+9

A QR code, short for Quick Response code, is a type of barcode that can be scanned by a smartphone to swiftly retrieve various types of information. It finds applications across numerous everyday scenarios such as making payments, purchasing electronic tickets, obtaining Wi-Fi access, and sharing business card details.

QR code technology was first developed in 1994 by Denso Wave, a Japanese automotive products company, primarily for tracking and managing car parts. Since then, its usefulness has expanded to include a variety of industries and applications, always for the purpose of sharing information efficiently. For example, during the COVID-19 pandemic, the QR code emerged as a valuable tool for identifying and verifying individuals.

The hidden danger of the QR code

However, despite their being widely distributed and useful in many applications, QR codes have also become susceptible to exploitation. In November 2017, the Ministry of the Interior and Safety (MOIS) of South Korea issued a warning about four new types of digital financial fraud, one of which is ‘Qshing.’ According to the MOIS, Qshing—a term that combines “QR code” and “phishing”—refers to scams that exploit QR codes to deceive users into downloading malicious applications in order to steal personal information for the purpose of committing further crimes.

For example, hackers distribute fake QR codes online or attach malicious QRs in public places, such as at bike-sharing stations, on restaurant menus, and on posters advertising goods and services. These deceptive QR codes—which look completely authentic and fully legitimate—trick users into inputting their personal information, an action that allows hackers to alter their smartphone settings in order to gain unauthorized access to their victims’ private and sensitive information, including banking and financial details.

QR code scams are on the rise in South Korea. The Readable has compiled data from the Korean National Police Agency (KNPA), which investigates these crimes and responds to the threats they pose. This trend highlights the growing importance of vigilance and preventive measures to safeguard against these fraudulent activities.

Cybercrime incidents and arrests involving Qshing

Source: Korean National Police Agency. Designed by Daeun Lee, The Readable

Financial fraud cases involving Qshing

Source: Korean National Police Agency. Designed by Daeun Lee, The Readable

In its 2023 threat outlook report, the South Korean cybersecurity company SK Shieldus stated that phishing and Qshing incidents accounted for 18.6% of total security incidents, based on data collected from their customers. The report highlighted a 60% increase in Qshing incidents compared to the previous year.

2023 Security incidents

Source: SK Shieldus. Designed by Daeun Lee, The Readable

How hackers use QR codes to steal money

According to the United States Social Security Administration, hackers are covering official QR codes with fake ones in places likely to elicit a response, such as on parking meters, on restaurant menus, and in magazines. Additionally, they are spamming emails and messages containing malicious QR codes, exploiting unsuspecting individuals who scan them without realizing the potential risks involved in carrying out such a seemingly simple action.

In November 2023, a woman in the United Kingdom scanned a fake QR code in the parking lot of Thornaby train station, resulting in a loss of $16,400 (£13,000). According to a BBC News report, hackers had placed a counterfeit QR code over the legitimate one used for making parking payments. The victim unwittingly entered her card information into the website the fake QR code linked her to, intending to pay for parking. She instead, however, fell victim to theft.

In 2015, South Korea’s Financial Supervisory Service (FSS), responsible for examining and overseeing financial institutions, uncovered a QR code scam. The victim received a fraudulent QR code message while transferring money through a banking application. Believing it was legitimate, the individual followed the instructions provided by the malicious QR code, which led to the installation of another application and the theft of the victim’s card information. As a result, the victim had $251 (350,000 won) stolen from their bank account.

Hewlett-Packard (HP) has analyzed a QR code scam in China involving an office document attached to a Chinese-language email. According to HP, the QR code falsely claimed that the recipient was eligible for a Chinese government subsidy in the fourth quarter of 2022. The scam entailed requesting personal information such as credit card numbers, identification document (ID) numbers, and credit card expiration dates under the guise of receiving the subsidy. HP highlighted that this tactic was designed to circumvent fraud detection measures and could potentially result in severe identity theft issues.

How to respond to Qshing

On December 6, 2023, the U.S. Federal Trade Commission (FTC) cautioned consumers to carefully verify the URL before scanning any QR code and to avoid interacting with QR codes from dubious sources.

The Federal Bureau of Investigation (FBI) issued an official warning on January 18, 2022, regarding the manipulation of QR codes and providing guidance on safeguarding oneself against exploitative QR scams. The FBI stated in their warning, “Malicious QR codes may also contain embedded malware, enabling criminals to access the victim’s mobile device and steal their location, personal, and financial information.”

The Readable requested an interview with an organization that offers QR code scam training for police agencies to explore the severity of QR code fraud.

Jin Sung-kook, Secretary General of the Qshing Prevention Safety QR Certification Association, emphasized, “Financial and public institutions are increasingly incorporating QR codes into their websites, employee business cards, and election posters.” He highlighted the growing threat of Qshing fraud using QR codes and stressed the urgency for financial and public institutions to implement preventive education and institute a system of countermeasures.

“It is difficult to ascertain whether a QR code is malicious until it is scanned, making it crucial to exercise caution when prompted for personal information or encouraged to install apps,” said Kwak Jin, Professor in the Department of Cyber Security at Ajou University. “We must develop technical countermeasures like blocking application installs or issuing warnings to mitigate risks effectively.”


Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

  • Minkyung Shin

    Minkyung Shin serves as a reporting intern for The Readable, where she has channeled her passion for cybersecurity news. Her journey began at Dankook University in Korea, where she pursued studies in...

    View all posts
Stay Ahead with The Readable's Cybersecurity Insights