Dan Gavin
QR Codes, Tattoos, and Quishing 

It was October 2011, and Tony, a 26-year-old web developer and gamer, scrolled through Google Images in search of tattoo inspiration as he made his way down the street to his apartment. He had just stood in line for four hours to get the new iPhone 4S, which had come out that very morning. He was excited about the eight-megapixel camera and the addition of a new personal assistant called Siri that responded to voice commands. All this he would have to try later; Tony loved few things more than pursuing the bleeding edge of technology, acquiring all the latest devices so that he could be among the first to use them. But one thing at a time, he thought. 

None of the tattoo ideas piqued his interest. Then suddenly it struck him: he could get a QR code of his website tattooed onto his forearm to show potential clients. At the time, QR code-scanning wasn’t a native feature in iPhone cameras (and wouldn’t be until 2017), but anyone with a scanning app could scan Tony’s forearm and see his website. It was an awesome sales tactic and a prime use of a technology that, while not exactly new, was on the rise in non-industrial settings. He generated the QR code and printed it for his tattoo artist, who meticulously inked his arm to match the printout exactly. 

Satisfied with its appearance, Tony showed the tattoo to his best friend, Joe. After Joe scanned Tony’s arm, he literally fell over laughing. The QR code tattoo hadn’t directed him to Tony’s website. Instead, it had shown him a YouTube video of a cat playing piano. 

A QR (Quick Response) code is a two-dimensional bar code that can be interpreted either horizontally or vertically and that contains encoded data. The codes were originally developed in 1994 to track products in a manufacturing plant but now have a wide range of uses, including marketing, making payments, connecting to Wi-Fi, accessing restaurant menus, providing directions, and many more. Generating QR codes is very easy, and there are free resources on the internet. I used www.qr-code-generator.com to generate the QR code for this article. 

Cyber hackers are also using QR codes. Except, they use them to fool users into downloading malicious code or password stealing.  Using QR codes for a phishing attack is called “quishing.”  Last summer, the cybersecurity company, Sophos, was targeted by a group of hackers.  The hackers sent an email to all employees that appeared to be related to employee benefits and retirement plans.  The email contained an Adobe PDF document that displayed a QR code.  Once the employee scanned the code with his phone, he was taken to a fake Microsoft 365 login form.  Once the employee entered their username and password, the hackers had his company credentials.   

Now, employees who’ve kept up to date on all our cybersecurity articles will understand what a phony link looks like and show caution. But in the case of a QR code scanned on a phone, the link is only up for a short time or is not shown in full, which makes it harder to scrutinize. Hackers may also use redirection techniques that cloak the final destination of a link. 

Sophos says they have observed an increasing number of quishing attempts over the past few months, and these attacks are growing more sophisticated. Andrew Brandt says, “Quishing documents now appear more polished than those we initially saw, with header and footer text customized to embed the name of the targeted individual (or at least . . . the username for their email account) and/or the targeted organization where they work inside the PDF.” 

Criminal organizations, perpetually fixed on business opportunity, now provide quishing services to the less talented hackers out there, and it is highly effective. To protect yourself, be wary of random QR codes from unknown sources. Be cautious of what turns up in your email inbox. If you’re on a computer, try reading the full link with Google Lens. Use your cybersecurity skills (courtesy of your favorite Cyber Guys) to alert yourself if something doesn’t seem right. Know your source before scanning. 

It never pays to be inattentive, but luckily for Tony, his problem stemmed from a harmless typo he made when he generated his QR code. He went back to the studio the following afternoon to get the QR code to his actual website tattooed on his other forearm. Lesson learned.