Although the QR code has been an element present in our lives for a long time, it was not until the appearance of COVID-19 that it experienced a notable boom, thus serving as a tool to minimize contact between people in actions. such as identifying ourselves, reading the restaurant menu or connecting to a Wi-Fi network.
Likewise, the QR code has been used as an element to check if we have been vaccinated as it is incorporated into the COVID passport implemented by the European Union.
However, despite the benefit of the implementation of the QR code within these areas, this element has also been exploited for malicious purposes by people who practice phishing.
In this sense, cases of phishing that had been executed through the QR code were recently discovered in Spain, thus originating a new term within this practice: Qrishing.
To start the qrishing all that is required is that one person scan a QR code which then leads to a web or application where apparently the information of interest associated with that code is found, but this is only a facade to deceive the user.
The truth is that, once the person accesses the point where the malicious QR code, it is left vulnerable and runs the risk that its personal or banking data could be obtained by unscrupulous people who operate virtually from the shadows.
Likewise, through qrishing data theft is carried out by injecting malicious code or through an attack drive by download.
In this way, if you visit a website designed under this modality, you activate the download malicious software on your device which will then act incognito collecting your personal information or that of your device.
In that sense, the INCIBE (National Institute of Cybersecurity of Spain) suggests to businesses that they choose a QR code generator or a service where these elements are generated in a safe environment.
Added to this, INCIBE recommends that disable automatic opening of the web page when scanning the QR code, so that the person can check the link associated with this element and decide whether to access it or not.