EXPLAINER: What you need to know about QR code phishing


RECENTLY, the  Joint Admissions and Matriculation Board (JAMB) announced the suspension of Ejikeme Mmesoma from writing its Unified Tertiary Matriculation Examination (UTME) for three years over reported forgery of her 2023 result.

The board in a statement by its Head of Public Affairs and Protocol, Fabian Benjamin, said, “its system was neither tampered with nor compromised  as the candidate simply falsified a copy of a result slip of a candidate named ‘Asimiyu Mariam Omobolanle’ who sat for the UTME in 2021 and scored 138.”

On the other hand, Mmesoma also shared her own side of the story.

In a viral video (now archived here) seen on social media, she showed the result she printed from the JAMB portal while reiterating that she never manipulated her result as alleged by the examination board.

According to her, she visited a cyber cafe to print her result and she was given a result slip with an aggregate score of 362. “They scanned this QR code here and it showed another name, a Yoruba name, Omotola Afolabi, 138,” she said.

Explaining further, she said the candidate linked to her QR code has another score reading 338, suggesting there’s a mix-up.

However, Mmesoma later admit to forging her UTME result, Arise News and TVC News reported.


Screenshot of the mobile app that allows users to create fake UTME results seen on Google Play store earlier but now removed from the store.

Our researchers at the FactCheckHub dig into the QR code phenomenon in a bid to educate the public about what QR code means, how it works, and how to avoid falling victim to QR code phishing or Quishing.


What is a QR Code?

The QR code stands for Quick Response code.

According to Kaspersky, a QR code is a type of barcode that can be read easily by a digital device and which stores information as a series of pixels in a square-shaped grid. QR codes are frequently used to track information about products in a supply chain and – because many smartphones have built-in QR readers – they are often used in marketing and advertising campaigns. More recently, they have played a key role in helping to trace coronavirus exposure and slow the spread of the virus.

An example of what a QR Code looks like.

While they may look simple, QR codes are capable of storing lots of data. But no matter how much they contain, when scanned, the QR code should allow the user to access information instantly – hence why it’s called a Quick Response code.

The technology for QR codes was developed by Densa-Wave, a Toyota subsidiary. The codes were originally used for tracking inventory and required a separate reader app, but beginning with iOS 11 and Android 8.0, readers are native to most mobile device cameras, explains a TechTarget report.

It added that Static QR codes are typically used to disseminate information to the general public. They are often displayed on posters and billboards and in ads in newspapers and magazines. The person who created the code can track information about the number of times their code was scanned and whether or not the code’s call to action was taken.

It noted that Dynamic QR codes (sometimes referred to as unique QR codes) offer more functionality. They can be edited at any time and even target a specific individual for personalized marketing. Such codes contain more metadata to facilitate tracking.

The data stored in a QR code can include website URLs, phone numbers, or up to 4,000 characters of text.


Are there dangers associated with QR codes?

QR codes are not inherently dangerous. They are simply a way to store data. However, just as it can be hazardous to click links in emails, visiting URLs stored in QR codes can also be risky in several ways, writes Scott Ruoti, an Assistant Professor of Computer Science at the University of Tennessee, in The Conversation.

He says the QR code’s URL can take you to a phishing website that tries to trick you into entering your username or password for another website.

“The URL could take you to a legitimate website and trick that website into doing something harmful, such as giving an attacker access to your account. While such an attack requires a flaw in the website you are visiting, such vulnerabilities are common on the internet. The URL can take you to a malicious website that tricks another website you are logged into on the same device to take an unauthorized action,” says Ruoti.

Aside from opening a website, these actions can include adding contacts or composing emails. This element of surprise can make QR code security threats especially problematic – That is why it’s called QR code phishing or Quishing.


How does QR Code Phishing work?

Quick Response (QR) code phishing is a type of phishing attack that uses QR codes to lure victims into revealing sensitive information. It doesn’t differ from typical internet phishing.

“It’s a social engineering bout aiming to convince you to submit your financial details, personal information, or login particulars,” says Eric Solms, an IT specialist, via his blogpost on LinkedIn.

READ: How to identify phishing scams and websites

He explains that the scammer embeds a malicious link in the QR code’s barcode. After scanning, the link will lead you to a page that asks for your details and enables the attacker to steal your information.

He notes that QR code phishing or Quishing can occur online or offline. In the physical realm, QR code scammers replace the authentic QR codes on the walls of corporate offices, businesses, and government service points. “There’s no way to know whether the QR code is genuine or fake unless you see a replacement sign,” he says.

Physical QR code phishing can also occur in hotels, shopping malls, and other physical businesses. For example, suppose you are at a hospital or medical center, and someone mounts a QR Sticker on a wall. In that case, the average user won’t think it is a hacker putting a sticker; they will think it is the hospital, which can be an easy vulnerability, he opines.

Nwachukwu Ebenezer, an IT Support Specialist, also notes that this form of social engineering attack is gaining popularity among cybercriminals eager to steal people’s personal data.

“Quishing attacks can be hard to spot, as the attackers create legitimate-looking websites and logos impersonating known brands,” he adds.

It may also be configured to automatically download malware to the victim’s device allowing the attacker to steal sensitive information or take control of the device.


What happens if you scan fake or malicious QR codes?

Scanning fake or malicious QR codes can have serious implications as it does not only direct you to a URL but can take you to phishing websites designed to steal your bank accounts, credit cards, other personal or mobile apps information. Here are few things that could happen if you scan a malicious or fake QR code:

  1. The QR code could send emails from your accounts, send pre-written emails and it can be programmed to access payment sites and also monitor social media accounts.
  2. You could be directed to a phishing website. Threat actors develop websites that convincingly look like the content you expect then they request critical information from you which can be used to steal one’s identity.
  3. Phony codes can be configured to automatically download contents into your mobile devices such as malware and Trojans.

Quick tips to protect yourself from QR code phishing

It is very important to be cautious and look out for red flags. Suspicious QR code placement, unexpected payment redirections, or personal information requests indicate a potential scam. If something feels off or seems too good to be true, it’s better to err on the side of caution and refrain from scanning the code.

ALSO READ: Phishing scam: a misinformation tool threatening cyber security

Here are further tips to safeguard yourself from QR code phishing or Quishing:

  1. Always verify the source before scanning QR codes. When scanning QR codes from unfamiliar sources or unsolicited messages, be cautious. After scanning, also check the destination site of the QR code to ensure the linked website or URL is secured.
  2. Visually examine QR codes for any signs of fiddling or manipulation as scammers may place stickers or overlays on genuine QR codes to redirect you to malicious websites. This occurs often with QR codes displayed in public places or in malls.
  3. Scanning QR codes that promise freebies or prizes, especially from unsolicited messages or emails, can lead to email scams or phishing. Verify its authenticity before scanning.
  4. Install and use trusted QR code scanner application on your mobile devices. Download from Google Play Store or Apple App Store only, and read reviews before downloading.
  5. Keep your smartphone operating system, apps, and QR code scanner updated with the latest security patches. Also, enable automatic updates whenever possible on your mobile devices.
  6. Be cautious when scanning QR codes that request personal details or login credentials; it might be phishing scams. Better still, you can manually enter the website URL into your mobile browsers instead of scanning the code directly.
  7. When using a QR code scanning app, review the permissions it requests. Be very cautious of apps that request excessive authorizations, such as accessing your contacts, messages, or other personal information that are unrelated to scanning QR codes.
  8. It is important to look out for phishing links and questionable attachments in emails.
  9. Always double-check the URL to ensure it matches the legitimate website you intended to visit.
  10. When scanning QR codes that lead to websites or online payment or social platforms, ensure you are connected to a secure network. Public Wi-Fi networks can be vulnerable to eavesdropping and data interception.
  11. Enable two-factor authentication whenever possible, especially for financial transactions or accessing sensitive information.
  12. Stay informed about common QR code scams and techniques used by attackers. Self-awareness is key to identifying and possibly avoiding potential threats.

More importantly, take immediate action if you come across a suspicious QR code or believe you have fallen victim to a QR code phishing or Quishing. Report the incident to relevant government agencies such as NCC, NITDA or the consumer protection agency in the country. Also, if it involves financial payment or transaction, quickly reach out to your bank through its customer care numbers to alert them and to further minimize potential damage or seek assistance in resolving the issue.

+ posts
Website | + posts

Opeyemi Kehinde is a Professional Fact-Checker, Multimedia Journalist, and Editor of the FactCheckHub.


Please enter your comment!
Please enter your name here

Most Read

Recent Checks