Millions hit in quishing attacks as malicious QR codes surge — how to stay safe
As reported by CNBC, millions of people have been victimized by quishing as more and more bad QR codes have appeared in public places.
According to security researchers at NordVPN, more than 26 million people have been directed to malicious websites through illegitimate QR codes. Likewise, earlier this year the FTC issued a warning about QR codes appearing on unexpected or unwanted packages that – when scanned – would lead the recipients to phishing websites that steal personal information like usernames and passwords and even credit card numbers. These websites could also potentially download malware onto your phone or give cybercriminals control over your device.
Other places have issued similar warnings: The New York City Department of Transportation warned against QR codes appearing on parking meters that had fake payment links, and Hawaii Electric also warned customers about scammers that were trying to steal payments through QR codes.
A study done by the cybersecurity platform KeepNet Labs found that 26% of all malicious links are now sent via QR code; this may be because the use of QR codes is now more widespread as they're accepted in more places and because there are better protections in place for traditional email phishing campaigns.
Posters, billboards, flyers and official documents that contain legitimate QR codes can very easily be compromised by threat actors and switched to malicious ones by being pasted over. Think of this like scammers putting a fake keypad over an ATM or gas pump using credit card skimmers.
It can also be quite difficult for most people to determine if a QR code has been tampered with in this manner. Since QR codes were designed for convenience and not security, they're ideal targets for hackers and scammers. In fact, their creator, who originally designed them to keep track of auto parts, never meant for them to be used the way they are today.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
More dangerous than a traditional phishing email, QR codes make it difficult for users to read the encoded web address – indeed the human readable text can often be modified. This is why QR codes have been used more frequently by threat actors to infiltrate critical networks and accounts of military personnel as well as to distribute RATs (remote access trojans) which can give hackers access to targeted devices and networks.
As with all phishing-style scams, the aim is to rely on victims being in a hurry or rushing to correct a problem which means that the best way to protect yourself is to remain calm, aware and vigilant.
Just like you wouldn't click on an unexpected link or attachment in an email or text, you shouldn't scan on any QR code you see pasted on a street sign, poster or advertisement. For instance, if the QR code is on the bottom of a poster or advertisement, search for that instead and then go to a company or an event's website directly.
If you do scan a QR code and get taken to a page, you wan to avoid filling out any forms asking for your persona information.
Likewise, you also want to inspect that site's URL for any suspicious signs. Does the website use a top-level domain like ".com" that you're familiar with? Or is it using one like ".TV" or one you haven't heard of before? This could be a sign that you're on a phishing page and not a legitimate website.
If you have an Android device, you can add an extra layer of protection with one of the best Android antivirus apps that can help provide protection against both malware and phishing attacks.
At the same time, if you're really worried about getting scammed or hacked, you might want to invest in one of the best identity theft protection services as not only can they help you get your identity back but they can also aid you in recovering any funds lost to fraud.
Now that QR codes and scanning them to access menus and other info has become commonplace, this threat likely isn't going away anytime soon In fact, it might actually get worse as cybercriminals devise new ways to use QR codes in their attacks. That's why it's up to you to be extra cautious whenever you interact with a QR code as failing to do so could have serious implications.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNBC
24 minutes ago
- CNBC
Startup Trunk Tools is using AI to reduce construction errors and waste
Homebuilding has long been one of the slowest industries to modernize, and commercial construction isn't far behind. Its scale is enormous, and yet it remains one of the least digitized industries in the world. That lack of innovation in commercial technology contributes to outdated documentation and errors in tasks that then have to be redone as well as administrative drag. It's a huge drain on time, budgets and materials and can lead to costly delays and unnecessary environmental waste. All told, it contributes to nearly $1 trillion in lost productivity each year, according to an August 2024 report from McKinsey Global Institute. Historically, construction companies spent an average of less than 1% of revenues on IT, less than a third of what is common in automotive and aerospace, according to the report. Sarah Buchner learned all this the hard way. The daughter of a carpenter in Austria, she came to the U.S. to learn construction and worked her way up to foreman, superintendent and eventually contractor. CNBC's Property Play with Diana Olick covers new and evolving opportunities for the real estate investor, delivered weekly to your inbox. Subscribe here to get access today. "At the peak, I was running a $400 million high-rise, 600 guys working for me in the job. And on that specific construction side, I had a fatality, which in construction happens, unfortunately, a lot," she said. "But I was, I think, very young, and couldn't fully process what was happening." So Buchner decided to build a health and safety app, switching careers from construction to construction software and construction tech. A decade later, with the proliferation of AI, she launched Trunk Tools, a generative AI platform trained on real construction workflows. It automates some of the more tedious tasks and also pinpoints project risks and simplifies documents. "We take all of the unstructured documentation on a construction site, and we use different AI and machine learning tools to restructure it," Buchner explained, noting that an average high-rise project in New York City, costing about half a billion dollars, would require about 3.5 million pages of documentation. "Those pages change every single day, because the planning isn't finished by the time you start construction," said Buchner. So contractors often get conflicting orders and can't search the documents to clarify. For example, take the installation of an emergency exit door. One data set says it needs electricity, but the electrical drawings don't have an outlet there. Discrepancies in the data, Buchner says, not only waste money but contribute to carbon emissions due to work inefficiencies. Trunk Tools' technology can process millions of unstructured documents, from blueprints to drawings to schedules and specs, and then return them in a clearer format that workers can better follow. The startup is partnering with Microsoft to integrate the technology into the company's suite of options. Trunk Tools just announced a $40 million Series B funding round led by global software investor Insight Partners with participation from Redpoint Ventures, Innovation Endeavors, StepStone, Liberty Mutual Strategic Ventures and Prudence. This investment brings its total funding to $70 million.
NBC News
an hour ago
- NBC News
Design software company Figma more than triples share price in NYSE debut
Figma 's stock more than tripled in its New York Stock Exchange debut on Thursday, a day after the design software company sold shares at $33 in its initial public offering. The big opening pop is the latest indication that the tech IPO market has reopened following a multiyear lull that began in early 2022, when inflation was soaring and interest rates were on the rise. So far this year, online bank Chime, stablecoin issuer Circle and artificial intelligence infrastructure provider CoreWeave have hit the market, along with health-tech companies Hinge Health and Omada Health. Figma's first trade at $85 valued the company at about $50 billion. The stock, trading under ticker symbol FIG, was halted after it soared past $112, before closing at $115.50 for a 250% gain. The company ended the day with a market cap of almost $68 billion. In 2022, Adobe agreed to acquire Figma for $20 billion, but the deal fell apart in 2023 after U.K. regulators said the tie-up would likely harm competition. Led by 33-year-old CEO Dylan Field, Figma makes web-based software that allows people to collaborate on slide decks, digital whiteboards and designs for apps and websites. Field told CNBC's 'Squawk Box' on Thursday that regardless of what happens with the market debut, the company has to 'stay focused, stay on mission, listen to our customers and really keep our priorities in mind.' 'The most important thing to remind myself of, the team of, is share price is a moment in time,' said Field, whose stake in the company is worth over $6 billion based on Thursday's closing price. 'We're going to see all sorts of behavior probably today, over the weeks ahead.' Figma boasts more than 13 million monthly users, two-thirds of whom are not designers. As of March 31, more than 1,000 clients were paying Figma upward of $100,000 annually, according to the prospectus. Google, Microsoft, Netflix and Uber are all customers. In its filing of preliminary results for the second quarter, Figma said it generated $9 million to $12 million in operating income on $247 million to $250 million in revenue, with sales growing about 40% year over year. Last week, Figma said in a filing that it would price shares at $25 to $28 each. On Monday it issued another update, calling for a range between $30 and $32, before ultimately pricing $1 above that range. The offering raised $1.2 billion, with most of the proceeds going to existing shareholders, including venture capital firms Greylock Partners, Index Ventures, Kleiner Perkins and Sequoia Capital. Founded in 2012 and based in San Francisco, Figma ranked 45th on CNBC's 2025 Disruptor 50 list of private companies. Lynn Martin, president of the NYSE, told CNBC's 'Squawk on the Street' on Thursday that plenty more deals should be on the way. 'I think given that Figma did so well with their pricing last night, and there is so much demand that has persisted still in the order book this morning for this company, I think this will open the floodgates,' Martin said.
Tom's Guide
an hour ago
- Tom's Guide
Will the UK government ban VPNs?
With the passing of the Online Safety Act on July 25, 2025, sites now need to verify UK users' ages if they wish to access content that has been deemed adult. Due to the manifold security and privacy concerns raised by the act, UK residents have started to find various ways to avoid having to submit personal information to verify their age, including using the best VPNs. This is because a VPN allows you to simply connect to a overseas server from within the UK and avoid age checks altogether. However, the rise in demand for VPNs has led some to fear that they will be next on the legislative chopping block – but is there any truth to this? NordVPN: our top-rated VPN overallFrom our testing, we consider NordVPN to be the best VPN for most people. This is down to its rock-solid security and privacy, excellent speeds and great unblocking performance. Prices start from £2.31 / $2.91 per month for a two-year subscription, which includes an exclusive four months free for Tom's Guide readers. Plus, you can get an Amazon gift card worth up to £50 / $50 if you sign up for NordVPN's Plus or Complete memberships. A 30-day money-back guarantee applies to all subscriptions. Due to one of the key features of VPNs being the ability to mimic connecting from another country (see our list of best Netflix VPNs to see what this looks like in action), there is some concern that the Labour government will clamp down on them. Sarah Champion, Labour MP for Rotherham, stated in 2022 regarding VPNs and the Online Safety Act that "there is a real threat that the use of virtual private networks – VPNs – could undermine the effectiveness of these measures." She went on to suggest that "If VPNs cause significant issues, the Government must identify those issues and find solutions, rather than avoiding difficult problems." In a post on X on July 28th, Champion responded to news of VPNs topping App Store charts by saying "I did warn the last government this would happen." Despite this, the Labour government does not appear to be considering banning VPNs. While Peter Kyle, Secretary of State for Science, Innovation and Technology, stated via X that those that oppose the Online Safety Act are "on the side of predators," he also told Sky News that there were currently no plans to ban VPNs. He did, however, state that he would be looking "very closely" at their use as, according to Kyle, 'the vast majority of adults in [the UK]' were abiding by the Act's guidelines. Were the UK to attempt to ban VPNs, it would join the likes of China, Iran, and Turkmenistan, among others, all of whom have either banned or restricted the use of VPNs due to their ability to circumvent censorship and content restrictions. However, it is still possible to access VPNs in these countries, despite the attempted bans. Obfuscation using Shadowsocks, or simply using newer servers that have not yet been blacklisted, can allow for connections. Governments are also unable to directly regulate VPN providers that are based outside their jurisdiction. The infeasibility of blocking VPNs has not stopped other countries from trying, however. This can make life more difficult for VPN users, not to mention the chaos that would likely occur due to VPNs being incredibly common among business users. China is at the forefront of internet surveillance and censorship, and has some of the strictest VPN laws, but it still cannot achieve total victory over VPNs – particularly those focused on privacy. Let us assume that the UK government does decide to block VPNs. While this would likely be ineffectual, due to the ability to completely anonymously pay for a VPN with cryptocurrency – or in the case of Mullvad and Proton VPN, with cash – and the level of obfuscation VPNs use to avoid detection, it would still set an extremely dangerous precedent. The UK is already a world leader in mass surveillance, thanks to GCHQ and NSA collaboration. Putting privacy even further out of reach of the masses would be a move that should set alarm bells ringing in all of our heads. The UK banning VPNs is ultimately a fairly unlikely outcome. However, we cannot be certain that VPNs won't end up in the government's firing line eventually. Privacy is not, and should never become, a crime. We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
