MA | Gazette

Information Document Regarding Phishing Attacks Performed via QR Codes (Quishing) was Published

The information document titled “QR Kodlarla Gelen Risk: Quishing” published by the Personal Data Protection Authority (“Authority”) examines the concept of quishing, defined as a type of phishing attack executed through QR codes, and addresses the methods by which such attacks are carried out, the mechanisms through which they may be detected, and the matters to which individuals should pay attention in order to mitigate the risks arising from such attacks.

QR Code Technology and Risk Area

It is stated that QR (Quick Response) codes are used in many areas such as website links, payment systems, menu and catalogue access, identity verification processes, and campaign participation procedures.

However, it is emphasized that since QR codes are visually presented only in the form of a square code and the link they contain cannot be directly viewed by the user prior to scanning, they may become a tool susceptible to manipulation by malicious actors. QR codes are classified as “static” and “dynamic” depending on whether the content to which they redirect can subsequently be modified. Dynamic QR codes allow the target content to be updated without any change to the visual structure of the code; this flexibility may be exploited by cyber threat actors to transform the redirected resource into a malicious target without making any alteration to the appearance of the code.

In this context, it is noted that attackers may direct users to malicious links by:

  • Placing a fake QR label over an existing QR code,
  • Sending a fake QR code via email or SMS,
  • Sharing QR codes through social media platforms or online advertisements,
  • Preparing posters and informational materials that appear to be institutional.

Quishing Method and Operation

“Quishing,” a term derived from the combination of “QR” and “phishing,” is defined as a phishing method carried out by cyber threat actors through the use of fraudulent or subsequently altered QR codes, whereby individuals are redirected to malicious websites, persuaded to disclose their personal data, or caused to install malicious software on their devices. Under this method:

  • The user scans a QR code believed to belong to a trusted institution,
  • The device redirects the user to a fraudulent website designed to closely resemble the authentic site,
  • The user is requested to provide identity information, contact details, financial data, passwords, or verification codes,
  • The entered information is recorded by the attackers and misused.

Furthermore, it is indicated that in certain cases, the downloading of malicious software may be enabled via the QR code; as a result, consequences such as the compromise of the device, occurrence of data breaches, or unauthorized access to corporate networks may arise. In particular, the transmission of QR codes in visual form via email further complicates the detection of malicious links by email security systems.

Detection of Quishing Attacks

The document addresses detection indicators under three categories:

  • Physical environment indicators: The QR code giving the impression of having been subsequently affixed onto the printed surface, being overlaid on another code, or appearing inconsistent with the texture and design of the surface on which it is placed; redirection to unusual payment, discount, or campaign offers whose source is not specified.
  • Digital communication channel indicators: The unsolicited transmission of a QR code by unknown or unexpected senders; attempts to induce scanning of the code by creating a sense of urgency or panic based on reasons such as account security issues, suspicious transactions, or delivery problems; the sharing of QR codes through messages that do not clearly identify the sender.
  • Possible situations that may arise after scanning the QR code: Redirection to pages requesting identity verification or the entry of financial information; the opened page bearing a domain name inconsistent with the institution it purports to represent; the occurrence of unexpected file downloads or additional redirects.

Protective Measures Recommended for Individuals

The principal measures recommended by the Authority for individuals are listed as follows:

  • Being mindful of QR codes in public areas,
  • Refraining from scanning QR codes whose source cannot be verified,
    o Checking whether QR codes displayed in physical environments have been subsequently affixed,
  • Preferably using reliable QR code readers; where the use of a third-party application is required, ensuring that the application is trustworthy,
  • Carefully examining the internet address to which the user is redirected after scanning the QR code,
  • Using up-to-date operating systems and security software on mobile devices, setting strong passwords, and enabling multi-factor authentication mechanisms.

Through the aforementioned information document, it is explained that although QR codes constitute a practical tool, they may give rise to serious risks with regard to personal data when misused; acting with awareness is emphasized as the most effective safeguard against potential threats.

You can access the full text of the document at this link (only in Turkish).

Ayşegül Dağhan

Associate

Cansu Özgüven

Senior Associate

Subscribe

Within the scope of the Privacy Notice, which sets out the details regarding the processing of my personal data, I give my explicit consent to receive invitations and informational communications regarding events, conferences, seminars, and meetings organized by or attended by Moroğlu Arseven.

Get In Touch

You can contact us via our contact information or fill out the form below.

Privacy Notice
Approve