- 2025-01-21 15:23:00

Quishing: beware of QR code scams

2 min

With QR codes becoming increasingly prevalent in our daily lives, a new form of scam called "Quishing" has emerged.

This malicious method exploits QR codes to access your data or infect your devices. Find out how scammers operate this fraud and how you can protect yourself effectively.

Quishing: when QR codes become scam tools

QR codes are everywhere: to access menus in restaurants, to share Wi-Fi codes or to make payments. Unfortunately, their ease of use makes them a perfect target for cybercriminals.

"Quishing", a combination of "QR code" and "phishing", uses QR codes to direct victims to fraudulent websites or execute malicious programmes on their devices.

How does a Quishing attack work?

The attack relies on a simple yet effective process:

1. A malicious QR code is created: scammers generate a QR code that redirects to a phishing site or enables the downloading of malicious software.
2. The QR code is shared: they place these codes in public areas, send them by email, messaging or publish them on social media. They often disguise them as promotional offers or necessary downloads (discounts, updates, etc.).
3. The victim is caught: a person scans the QR code without being suspicious, thinking they are accessing a legitimate resource.
4. The data is exploited: the victim is redirected to a fraudulent website or their device is infected.

How to protect yourself against Quishing?

Adopt these simple reflexes to avoid falling into the trap:

• Be vigilant: treat QR codes with the same caution as unknown links in an email or SMS.
• Check the URL: before clicking, check the web address displayed if your scanning app allows it. A unofficial URL or one with spelling mistakes is suspicious.
• Validate the source: make sure the QR code comes from a reliable source before scanning it.
• Use secure scanners: some apps analyse QR codes before opening them.
• Search directly online: if you have doubts, perform a search on an official search engine instead of scanning the code.
• Keep your devices up to date: updates fix vulnerabilities that cybercriminals can exploit.
• Report suspicious codes: send suspicious QR codes to suspect@safeonweb.be for analysis.

What to do if you are a victim of Quishing?

Do you think you have disclosed confidential data?

• Check your recent transactions to identify suspicious transactions.
• Contact PrivilegeConnect (Monday to Friday from 7am to 10pm and Saturday from 9am to 5pm) on 02 433 43 20 (for Private Banking) or 02 433 43 40 (for Wealth Management). Outside PrivilegeConnect's opening hours and only in case of suspected fraud, contact 02 433 43 75.
• Immediately block all your bank cards via Card Stop on 078 170 170 or block your debit card(s) via Easy Banking App.
• Make a statement to the police and send a copy of your statement to your Private Banker or Wealth Manager BNP Paribas Fortis.
• Check, via Easy Banking Web (Settings > Access to our apps) or Easy Banking App (Settings > Security > Devices with our apps), the devices on which your banking app has been installed and remove any suspicious or unknown devices.

You can find more information on Safeonweb.be and on the website of the Belgian Financial Sector Federation.

Prevention is your best defence against Quishing and other forms of phishing. For practical tips and advice on online security, click on the link below.
Protect yourself from fraud and phishing

Protect yourself from fraud and phishing