What is ‘Quishing’? Scanning a restaurant menu could lead to being hacked — here’s how to protect yourself

Scan and be scammed.

Officials are warning about a rise in “quishing attacks,” whereby con artists use nefarious QR codes that direct smartphone users to malicious sites that steal personal information.

QR codes have become common at places such as restaurants, where customers use their smartphones to scan the code to both pay and peruse the menus.

They’re also used at various check-in points at hotels and doctors’ offices, as well as at parking meters across the country.

“What’s especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised,” Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant, recently told CNBC.

“Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception.”

QR codes are also used in virtual spaces, too. For instance, they’re frequently used to check the shipping status of an online order.

IBM reports that older individuals who are susceptible to more traditional phishing scams may also be most at risk when it comes to quishing.

However, given that more-digitally savvy Millennials and Zoomers frequently scan QR codes without a second thought, they’re also at high risk.

“Don’t let added convenience lower your guard,” an official memo from the computer company IBM has urged, noting The Federal Trade Commission (FTC) has recently reported a rise in quishing scams.

IBM officials urge people to look for physical signs of tampering if they’re scanning a QR in a public place.

They also advise that users be cautious of any unsolicitied QR requests.

“QR codes weren’t built with security in mind, they were built to make life easier, which also makes them perfect for scammers,” Rob Lee, chief of research, AI, and emerging threats at the cybersecurity training focused SANS Institute told CNBC.

“We’ve seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It’s not panic-worthy yet, but it’s exactly the kind of low-effort, high-return tactic attackers love to scale.”