'Quishing' scams dupe millions of Americans as cybercriminals turn the QR code bad

To join the CNBC Technology Executive Council, go to cnbccouncils.com/tec

QR codes were once a quirky novelty that prompted a fun scan with the phone. Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more about the eating habits of the woolly mammoth or military strategies of Genghis Khan. During the pandemic, QR codes became the default restaurant menu. However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity.

“As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they’re simultaneously useful and dangerous,” said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.

Brewer says that attackers exploit these seemingly harmless symbols to trick people into visiting malicious websites or unknowingly share private information, a scam that has become known as “quishing.”

The increasing prevalence of QR code scams prompted a warning from the Federal Trade Commission earlier this year about unwanted or unexpected packages showing up with a QR code that when scanned “could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.”