Recently, the FBI and other federal agencies raised alarms about the rise of QR scam attacks or quishing, which involve unsolicited packages arriving at people’s doorsteps. These packages often include QR codes that, when scanned with their camera phones, redirect users to fake websites or prompt them to install malware. This can compromise your device and lead to stolen personal data.

Quishing Targets Online Retailers

The latest concern focuses on these scams targeting users who regularly make digital transactions. Attackers are generating QR codes that link to suspicious websites designed to steal your data. According to the Brandenburg Consumer Advice Centre (VZB), these scams can also infiltrate your phone and bank accounts, allowing fraudsters to siphon off your money.

In one scenario, scammers pose as legitimate customers interested in buying a product. Instead of sending payment directly, they ask the seller to scan a QR code to initiate the transaction. This code may lead to a fake PayPal login page, tricking the victim into entering their account details. This tactic is a form of website phishing.

FBI warns iPhone and Android users over a new QR code brushing scam
FBI says be cautious of unwanted packages and never scan the QR code contained. / © nextpit

Some attacks are becoming even more dangerous, using zero-click techniques that don’t require any user interaction. These are typically aimed at high-profile individuals such as politicians, journalists, lawyers, and activists.

Security expert Alex East from Cyber Security Coach Online warns that attackers may place fake QR codes in public and private locations, such as gas pumps or convenience store payment terminals. These codes can redirect users to malicious sites during routine transactions.

How to Protect Yourself from Quishing

To avoid falling victim to QR code scams, VZB advises users to stay vigilant during digital transactions. When making a payment, it’s important to ensure that the seller is the one presenting the QR code, rather than scanning one provided by someone else. Always examine the website you’re directed to for signs of suspicious activity, such as misspelled domain names or unusual layouts.

But generally, be cautious when scanning QR codes found in unsolicited packages, email attachments, or public spaces, as they may lead to malicious websites. When possible, it’s even better to avoid scanning QR codes altogether unless you’re certain of their source.

Strengthening your account security with two-factor authentication (2FA) is also highly recommended, especially when money is involved. For even greater protection, consider switching to passkeys, which are a more secure login method now supported by many apps and websites.

Both iPhones and Android devices offer security features that can help detect scams, including alerts for fake websites and scam detection in messages and calls. Be sure to activate these features to maximize protection.

What other tips should users keep in mind to stay safe online and avoid Quishing scams? Share your suggestions in the comments.

We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support!