Cyberattacks continue to evolve and have become increasingly sophisticated and deceptive. Fraudsters tirelessly seek new ways to scam in their pursuit of sensitive information and financial gain.
And with the advent of contact-free payments such as QR payments using smartphones offering faster transactions, one should be more discerning as fraudsters now employ new scams targeting them, now commonly known as Quishing.
Quishing—or QR code phishing—is a phishing scam that uses fake or manipulated QR codes by hackers to carry out illegal and fraudulent activities and schemes such as spreading malware and stealing personal information.
Carlos Tengkiat, Chief Information Security Officer of Rizal Commercial Banking Corporation’s (RCBC), cautions users to be extra careful of quishing schemes as it can easily trick people who are not very cautious with how they make QR payments.
“Quishing is the method used in fraud where valid QR codes are replaced with another code to facilitate fraud or information harvesting,” Tengkiat explains. You can become a victim of quishing by scanning fraudulent and fake QR codes, opening malicious websites, or installing fake applications on your mobile phone.
Besides spreading malware and stealing your information, quishing can also be used to send your funds illegally to other accounts.
Here are quick tips to avoid QUISHING:
- NEVER scan QR codes from unfamiliar sources.
- For physical ones that you scan, carefully inspect if the code is tampered such as a sticker over the QR code itself. QR codes can easily be tampered with malicious ones which can direct you to sites where it prompts the user to login their credentials.
- Ensure that the QR codes delivered electronically come from a valid source, application, and email. Tengkiat added that if you are receiving a QR code from another person, you should validate it from the sender first before scanning or uploading to make sure that they indeed sent it.
- Check the website that you are redirected to by a QR code and make sure this is a valid site. “Ensure that it has a trusted domain and uses HTTPS. Watch out for any mispellings,” Tengkiat said.
- Always be up to date on news of fraud as scammers often update their schemes to trick people.
Generally, when transacting digitally or using your money apps for payments, it is always best to practice caution. Being careful includes being critical of websites you are redirected to after scanning, asking for personal details. Never login your credentials when an unfamiliar site asks for it.
You should also think twice before scanning any QR code. Update your devices regularly and use strong passwords for your e-wallet and online banking apps (ideally, a password with eight characters with a combination of alphanumeric and special characters).
RCBC believes that cybersecurity is a shared responsibility between consumers as well as government and private financial institutions. Everyone must do their part to prevent digital monetary fraud. As such, RCBC is committed to doing its part in battling online fraud by spreading cybersecurity awareness and using security tools to protect its consumers from fraud.