Quishing attempts on the rise

Stock photo of someone scanning a QR code from their laptop to their phone. Caution tape runs across the photo.

A new category of phishing, which uses malicious QR codes to steal user credentials, is becoming more common and the University of Toronto community is encouraged to keep an eye out for attempts in their inboxes.

QR code phishing, or quishing, has elicited reports from staff, faculty and students who have received emails and messages with embedded QR codes that lead to malicious sites. Upon scanning these codes, users are redirected to deceptive websites, which often harbour malware or pose as legitimate platforms, all with the objective of stealing credentials and personal information.

Staying informed about these trends and adopting a cautious approach when engaging with suspicious emails and messages is crucial. Here are some real examples of quishing messages that U of T community members have received:

Presently, preventing quishing attempts poses a challenge because most of the contents are in the form of an image file. This makes it difficult for protection algorithms to identify trigger words and effectively block these malicious activities.

What to do in case of a quishing attempt in your inbox:

  1. Do not engage with the message if it looks suspicious.
  2. Report the attempt to security.response@utoronto.ca.
  3. If you accidentally engage with a malicious QR code and provide personal information, immediately update any credentials provided, including generating a new DUO passcode if necessary.

More information and resources on quishing: