INTRODUCTION
With the acceleration of digitalization, the use of technological tools in all areas of daily life has brought new legal issues to the agenda. Among these technological tools, QR (Quick Response) codes, the use of which has rapidly increased in recent years, come to the forefront. QR codes are widely used in many areas of daily life, from reviewing restaurant menus to carrying out payment transactions for online and offline goods or services, from enabling quick access to websites to information sharing. The fact that QR code usage is mainly carried out through mobile devices and that these devices have become an integral part of individuals’ daily lives has increased the accessibility and frequency of use of QR code technology.
However, this convenience also entails serious security risks. Indeed, users often access content directed through QR codes without questioning it, which may give rise to significant threats to the security of personal data. In this context, by scanning QR codes encountered in physical or digital environments, users may unwittingly become targets of phishing attacks known as “quishing.”
The Personal Data Protection Law No. 6698 (“KVKK”) aims to protect the fundamental rights and freedoms of individuals in the processing of their personal data and imposes various obligations on data controllers. In this regard, “quishing” attacks carried out via QR codes constitute not only a cybersecurity issue but also directly involve a personal data breach dimension. The Personal Data Protection Authority (“Authority”) has also informed data subjects on this matter by publishing an announcement titled “The Risk Arising from QR Codes: ‘Quishing’.”
In this article, the definition, functioning, and detection methods of quishing attacks will first be examined, followed by an evaluation of the legal implications of this type of attack within the scope of the KVKK, as well as the obligations of data controllers.
THE CONCEPT OF QUISHING
A. The Concept of Quishing and Its Technical Infrastructure
QR codes are two-dimensional barcodes capable of storing various types of data and can be rapidly scanned through mobile devices or barcode readers. Today, these codes are widely used not only on physical materials such as posters and brochures, but also in digital environments such as text messages, social media content, and emails.
Phishing, on the other hand, is a form of social engineering in which attackers aim to deceive users through emails, SMS messages, or fraudulent websites in order to obtain personal data such as passwords, credit card details, and identity information.
“Quishing” (QR phishing) is a term formed by the combination of the words “QR” (Quick Response) and “phishing.” This phishing method manifests itself in the form of cyber attackers directing users to malicious websites through fake or subsequently altered QR codes, persuading them to share their personal data, or causing them to install malicious software on their devices. In this context, quishing attacks are considered a type of cyberattack in which QR code technology and phishing techniques are used together.
QR codes are divided into two categories: “static” and “dynamic.” In static QR codes, the information contained in the code cannot be changed after it is created, whereas dynamic QR codes allow the target content to which they direct users to be updated, provided that their visual structure remains unchanged. While the flexibility provided by dynamic QR codes offers an advantage in situations where content needs to be updated frequently, it may, in some cases, also constitute a significant risk factor in terms of quishing attacks.
B. The Relationship Between Quishing and Traditional Phishing
In general, phishing is an attack method whereby attackers aim to deceive individuals through communications that create the impression of originating from a trustworthy person or institution, thereby inducing them to click on links directing them to malicious websites, to share their personal data, or to download attachments or files containing malicious software.
Such attacks have predominantly been carried out via email for a long time; in this process, persuasive and realistic message content has been utilized in order to attract individuals’ attention and gain their trust. However, the efforts of attackers to achieve higher success rates have led to the diversification of phishing methods over time, resulting in the emergence of new types of phishing with the introduction of different communication channels. In this context, “vishing” (voice phishing) conducted through voice calls, “smishing” (SMS phishing) carried out via text messages, and “quishing” conducted through QR codes are among the principal methods used within the scope of phishing attacks.
C. Quishing Attacks Following the Scanning of a QR Code
Following the scanning of a QR code, being redirected to a webpage that requests the user to enter sensitive information—such as authentication credentials or credit card data—constitutes one of the most prominent indicators of quishing attacks. In addition, circumstances such as the opened webpage redirecting to a domain name that is inconsistent with the institution or service it purports to represent; being directed, within service environments, to payment pages whose connection with the authorized institution or business cannot be verified; the initiation of unexpected file downloads after scanning the QR code; the occurrence of additional redirections; or the emergence of unusual user interactions also constitute clear indicators of a quishing attack.
EVALUATION OF QUISHING ATTACKS WITHIN THE SCOPE OF THE KVKK
A. The Nature of Quishing Attacks as Personal Data Breaches
Pursuant to Article 12 of the KVKK, data controllers are obliged to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the secure storage of personal data. During a quishing attack, individuals may be requested—through a fake login interface—to enter authentication or payment information, which may result in the unauthorized acquisition of personal data, including financial data, by third parties.
Within this framework, the unlawful acquisition of personal data as a result of such attacks may, depending on the circumstances of the specific case, and particularly where the data controller has failed to take the necessary technical and administrative measures, be considered a personal data security breach within the scope of Article 12 of the KVKK. In this regard, unauthorized third parties gaining access to personal data without the consent of the data subject and in an unlawful manner may indicate a violation of the obligations relating to the principle of personal data security as prescribed under the KVKK.-
On the other hand, as a result of this process, malicious actors may obtain personal data such as identity or payment information. Such data may include name and surname, contact details, financial information, and authentication-related data; since such information qualifies as “personal data” under Article 3 of the KVKK, its unlawful acquisition necessitates an assessment within the scope of the KVKK.
B. Obligations of Data Controllers in the Face of Quishing
1. Obligation to Take Technical and Administrative Measures
The fact that quishing attacks may constitute a personal data breach brings the data security obligations of data controllers into question. In this context, whether data controllers have implemented the necessary security measures against quishing risks shall be assessed on a case-by-case basis, taking into account their field of activity and data processing processes. In particular, where QR codes located within the physical premises of a business or institution are altered, or where fake QR codes are transmitted to customers/users via digital communication channels, it may be questioned whether the relevant business or institution, in its capacity as a data controller, has taken adequate security measures; in this regard, it is of particular importance whether the data controller has established the necessary supervision and security mechanisms.
Furthermore, the liability of the data controller should be assessed within the framework of whether reasonable security measures have been taken against foreseeable risks; as for attacks carried out entirely through the intervention of third parties and in an unforeseeable manner, liability must be evaluated separately.
In addition, where the QR code infrastructure is operated through third-party service providers, the data controller is required to oversee the data security obligations of such service providers and to establish the necessary contractual and technical safeguards.
2. Obligation to Notify of a Data Breach
Pursuant to paragraph 5 of Article 12 of the KVKK, in the event that processed personal data is obtained by others through unlawful means, the data controller is obliged to notify both the data subject and the Personal Data Protection Board (“Board”) as soon as possible. The Board may, where it deems necessary, announce such breach to the public.
In this context, where it is determined that users’ personal data has been obtained by unauthorized third parties as a result of a quishing attack, the data controller’s obligation to notify a data breach may arise. In line with the established practice of the Board, the data controller is expected to act without delay upon becoming aware of the breach and to make the notification as soon as possible. However, in accordance with the guidance provided by the Board, it is stated that such notification should be made within 72 hours.
3. Obligation to Inform
Pursuant to Article 10 of the KVKK, data controllers are obliged to inform data subjects at the time of the collection of personal data. In this context, the obligation to inform remains applicable to all data collection activities carried out by the data controller through digital means, including data collected via QR codes.
Accordingly, where personal data is obtained through the use of QR codes provided by the data controller, the necessary information regarding the relevant data processing activity must be provided to the data subjects at the time the data is obtained or, at the latest, simultaneously with such moment. In this respect, it is important that the information to be provided by the data controller is of a nature that enables data subjects to remain vigilant against potential quishing attacks, thereby allowing them to take measures to protect their own data security.
MEASURES THAT CAN BE TAKEN AGAINST QUISHING ATTACKS
Although quishing attacks largely embody the fundamental characteristics of traditional phishing methods, they may manifest in different forms in practice due to being carried out through QR codes. This necessitates that the risks arising specifically from the use of QR codes be taken into consideration when assessing such attacks and raising awareness against them.
In this context, the main points that individuals should pay attention to may be summarized, with reference to the announcement titled “The Risk Arising from QR Codes: ‘Quishing’” issued by the Personal Data Protection Authority, as follows:
- Caution should be exercised with respect to QR codes located in public areas; it should be verified whether there are any physical alterations such as subsequent placement, misalignment, or pixelation, and codes that appear suspicious should not be scanned.
- The source of the QR code should be verified; codes should only be scanned from reliable sources, QR codes received from unknown individuals or via unsolicited emails/messages should be avoided, and particular caution should be exercised against messages designed to evoke a sense of urgency, panic, or curiosity.
- Reliable QR code readers should be preferred; where the use of a third-party application is required, it should be ensured that such application is trustworthy.
- The redirected link should be carefully examined; it should be verified whether the link accessed after scanning actually belongs to the intended website or mobile application, and attention should be paid to the presence of spelling errors, unusual characters, or unfamiliar domain extensions.
- If, following the scanning of the relevant code, the user is redirected to a link requesting personal information, the accuracy and authenticity of the website should be verified before any information is shared; where possible, the relevant address should be entered manually into the browser.
- Device and account security should be strengthened; the operating system should be kept up to date, strong passwords should be used, and, where possible, multi-factor authentication should be enabled.
CONCLUSION
Quishing attacks arise as a result of the misuse of the conveniences offered by QR code technology and constitute an advanced form of traditional phishing methods. These attacks often lead users to share their personal data without being aware of it; in this respect, they should be evaluated not only as a cybersecurity issue but also as a legal matter concerning the protection of personal data.
In this context, the unauthorized acquisition of personal data as a result of quishing attacks may, depending on the circumstances of the specific case, qualify as a data security breach within the scope of the KVKK. This situation increases the duty of care incumbent upon data controllers under the KVKK. Accordingly, it is of importance that data controllers, taking into account the risks of quishing in areas where the use of QR codes has become widespread, implement the necessary security measures, supervise third-party service providers, and take steps to raise user awareness. At the same time, it is critical for individuals to approach QR codes with caution and to possess basic digital security awareness in order to mitigate the effects of such attacks.
