Prior to the pandemic, QR codes struggled to gain widespread adoption and were on the verge of fading into obscurity. But with COVID-19, everything changed; a world looking to minimize physical contact - contactless transactions, digital menus, remote access – embraced QR codes with gusto.
Today, QR codes are near ubiquitous, offering companies, individuals, and brands a convenient method of sharing links, documents, images, and more. They’re easy to use – point, scan, connect – and every smartphone has the built in capability of reading them.
However, lurking behind their convenience lies a potential for danger. Obscured behind their pixelated outward appearance could be anything – malicious links, malware, phishing sites. A simple scan could lead unsuspecting users into a trap, compromising personal data and security.1
The risks associated with QR codes continue to grow, and it’s imperative that we understand how to avoid pitfalls. Let’s explore both how cybercriminals use QR codes to nefarious ends and how you can better protect yourself.
Check out additional Information Security articles here.
Manipulation
QR codes are like a box of chocolates: you never know exactly what you’re going to get. Pulling back the curtain can reveal a host of hidden dangers…
Risky URL embedding:
Harmful URLs can be encoded into a QR code, delivering malware downloads directly to your device. Malware can steal personal data, intercept payments, and even track your physical location.
Phishing:
Fake websites are becoming more and more convincing, making it harder to distinguish between legitimate sites and scams. Cybercriminals, in attempts to steal login credentials, credit card details, and other personal information, can use QR codes to direct unsuspecting users to fraudulent websites, often mimicking well-known brands or services and creating a false sense of security. This type of attack is known as "quishing".2
Malicious calls or texts:
Scanning a QR code can prompt your phone to call or text a predefined number. This method is used to exploint personal caller ID information, contributing to robocall and SIM-jacking (taking control of someone’s phone number) attacks.3, 4
Send an email:
QR codes can store an email draft with a predefined recipient. When the user hits send, they might unknowingly transmit personal details to a malicious actor.
Wi-Fi network access: Some QR codes contain network credentials that automatically connect your device to an unsecured network, exposing it to potential attacks.
Redirecting payments: Criminals can replace legitimate QR codes with fraudulent ones in places like grocery stores. Once scanned, the payment goes directly to the attacker’s bank account.5
Staying safe
Verify, verify, verify:
Before scanning a QR code, always confirm the source. If the code is from a unknown or suspicious source – like a random poster tacked onto a light pole downtown – it’s best to avoid scanning.
URL inspection:
After scanning, review the URL. Does it seem legitimate? Typos or suspicious domains are red flags.6
Physical tampering:
If a QR code sticker appears to be covering another code, especially in public places like restaurants, it may have been tampered with. Be cautious.
Code scanner application:
Some QR scanner apps offer additional security features that check URLs for known threats before opening them. Check out this list of some of the best available applications available today.
Avoid certain activities:
Downloading apps or making payments via QR codes can be especially dangerous. Since cybercriminals can easily clown websites, it’s best to download apps from certified app stores and make payments through official channels.
Multi-factor authentication (MFA):
It wouldn’t be a proper information security article without mentioning MFA. Enabling MFA for sensitive accounts (i.e. banking, email, social media) provides an extra layer of security, requiring multiple forms of verification. With MFA, even hackers that obtain your login credentials are faced with an impassable roadblock to accessing your account.
Ear to the ground:
Stay informed with current cybersecurity practices and inform friends and family about how they can mitigate QR code-associated risks.
Better safe than sorry
QR codes are an incredible tool, making many rudimentary digital tasks easier than ever before. But, as we’ve outlined in the sections above, they come with significant risks.
Cybercriminals don’t sit still; they’re constantly evolving their tactics. By adhering to recommended safety protocols and remaining vigilant, you can minimize risk and securely benefit from the convenience QR codes provide.
[1] Malware Bytes, https://www.malwarebytes.com/cybersecurity/basics/what-is-a-qr-code
[2] Tech Target, https://www.techtarget.com/searchmobilecomputing/tip/Understanding-QR-code-security-issues-for-enterprise-devices
[3] Forbes, https://www.forbes.com/councils/forbestechcouncil/2020/06/01/i-dont-scan-qr-codes-and-neither-should-you/
[4] Kajeet, https://www.kajeet.com/en/blog/iot-security-what-is-sim-jacking-and-how-to-avoid-it
[5] Uniqode, https://www.uniqode.com/blog/qr-code-security/qr-codes-exploitation
[6] Cyber Ark, https://www.cyberark.com/resources/blog/step-away-from-the-qr-code-and-read-these-7-safety-tips