Quick Response (QR) codes, first developed in Japan in the 1990s, are square shaped codes that can be used for a variety of purposes. With their ability to store a lot of data, QR codes are an efficient and easy way to share and stow information. They can also be used for tracking purposes, sharing contact information, marketing promotions, ticketing, and completing contactless payments.
With the need for contactless engagement increasing during the pandemic, the use of QR codes has become even more popular. Many restaurants include QR codes on—or in place of—menus. Codes are also commonly found on business cards, flyers, and even buses. Despite their ubiquitous nature, it’s important not to overlook the risks associated with QR codes.
What Are the Risks?
Like any way of sharing information via a link or download, QR codes have the potential to be used maliciously. The FBI issued an announcement in January 2022 to bring attention to the rise of fraudulent QR codes. Victims scan what they assume to be a safe code but are instead scanning something dangerous.
With countless free code generators available online, it is incredibly easy to generate QR codes, which makes it even easier for threat actors to create fake codes.
Due to their widespread use, QR codes have a sense of perceived trustworthiness. This perception can unintentionally aid the success of cybercriminals because more people are unknowingly scanning these harmful codes. In many cases, implementing a false QR code is as simple as creating a new one and pasting it over the existing QR code. Another possibility is adding a fraudulent QR code to something like a menu or flyer that is not supposed to have one. Since QR codes are so common, most people won’t question the code’s placement, leading to more attacks.
Types of Attack
Like other types of phishing activities, the goal of QPhising is to get users to click on links. These links are fraudulent URLs embedded in a QR code that look incredibly similar to the intended URL and they link to a spoof website. Once on the fake site, users are then prompted to provide confidential information which criminals could then sell or use as leverage to extort payment. These websites often look incredibly realistic, so users need to be vigilant when visiting them.
Another type of attack happens when users scan a QR code and their device is subsequently infected with malware or ransomware. Other times users are directed to websites which trigger automatic malware downloads. These programs take over a device and can force payment in order for access to be returned. Cybercriminals can also utilize these forms of attack to steal private data, login credentials, and potentially even gain access to company networks depending on the type of device used to scan the QR code.
Threat actors can also implement programming that will turn on a device’s camera without the user knowing to create a live feed. Similarly, threat actors can remotely turn on location data to track a device remotely whenever they choose.
QR codes have often been used to facilitate contactless payments, and that has become even more prevalent during the pandemic. Restaurants, vendors, and even gas pumps have all used QR codes in this manner, and these codes can be easily swapped with malicious code. In these attacks, criminals can have funds diverted to their own bank accounts instead of where the money is supposed to go.
In some instances, hackers are not targeting code scanners but are instead exploiting a bug in either a QR code scanner or the data embedded in the QR code itself. Once discovered, bad actors can utilize bugs in code readers to take advantage of cameras or sensors within devices. This is another way to secretly start a live feed.
Alternately, hackers could discover that a URL domain found within an existing code to be for sale, purchase it, and turn it into a malicious spoof website.
How To Use QR Codes Safely
There are many ways to protect yourself, your data, and your devices when using QR codes. Here are some tips:
- Only scan codes from trusted sources—if you don’t trust the link, don’t click on it.
- Instead of downloading QR code scanners, use the built-in scanner in your smartphone’s camera.
- When given the option to preview the URL, always view it closely. Most smartphone cameras utilize this feature. If you’re unsure, try and access the known website directly.
- Set devices so they do not automatically open links from QR codes.
- Regularly install security updates to receive the latest patches and bug fixes.
- Don’t download apps via QR codes, instead utilize the relevant app store.
- Be vigilant: if something looks off, do not use it and find a different way to complete the transaction.
Cyberattacks continue to increase, and it’s important to be aware of potential risks. QR codes can be a target, and users should proceed with caution when interacting with them.