Quick response codes have exploded in popularity because they are free, easy to create and a convenient alternative to a long or complicated web address. They are also being used in a new form of cyberattack called “quishing.”
Bad actors are using QR codes to deliver malware or direct victims to fraudulent websites aimed at stealing personal information or data. These scams are tricky because it can be difficult to distinguish a legitimate QR code from a malicious one and email security systems often don’t detect image files.
Information Technology Services offers the following three tips to protect against this growing threat:
1. Consider the source. If you come across a QR code in a public place, or you get one via text or email, pay attention to the details. Is it affiliated with or located in a business or institution you know and trust? Does the business normally rely on QR codes?
2. Only scan trusted codes. Be sure the code you’re about to scan hasn’t been altered, such as a sticker being applied over an original document.
3. Preview the destination. Make sure to preview where the QR code will lead you. Before you tap the URL, take a close look and make sure it’s secure — the QR code should start with https://. Cybercriminals often use URL shorteners to mislead you.
Learn more at DefendYourData.wvu.edu and forward suspicious looking emails as an attachment to DefendYourData@mail.wvu.edu. Employees can also use the Report Message button in Outlook.