QR codes, those ubiquitous black and white squares, have become an ingrained part of our daily lives. From restaurant menus to train tickets, they offer a quick and easy way to access information on our smartphones. But with this convenience comes a potential security risk – malicious QR codes.
QR codes have been a part of our technological landscape since the 90s, but it wasn’t until the COVID-19 pandemic that they truly became ubiquitous. During lockdowns, QR codes were used for everything from ordering food to verifying vaccination status. Today, they serve various purposes, such as directing users to websites, logging into devices without keyboards, and facilitating payments for goods and services.
Despite their convenience, QR codes also raise security concerns. With their widespread use in public spaces like pubs and restaurants, it’s natural to wonder if criminals are exploiting these codes to steal money, information, or trick people in other ways.
QR Code Technology: A Brief Overview
Quick Response (QR) codes are two-dimensional barcodes that can be scanned using a smartphone or other device with a camera. They were originally developed for the automotive industry in Japan to track vehicle parts.
QR codes (Quick Response codes) store information like website addresses, contact details, or even product codes. Scanning them with your smartphone camera unlocks this information instantly.
Today, their application has expanded across various sectors, providing a quick and efficient way to access information or perform tasks without typing out long URLs or codes.
The Rise of QR Code-Related Fraud
Reports of QR-enabled fraud have surfaced online, including notable incidents like the one reported by BBC News where a woman was scammed at a railway station. While this type of scam is relatively minor compared to other cyber frauds, it’s essential to recognize that QR code fraud often involves an element of social engineering.
In many cases, such scams occur in open spaces like stations and car parks, where criminals might replace legitimate QR codes with malicious ones. These codes, when scanned, direct the user to phishing websites designed to steal personal information or install malware.
The Threat of ‘Quishing’: QR Codes in Phishing Emails
While the QR codes you encounter at restaurants or shops are likely safe, cybercriminals are exploiting their popularity through a technique called “quishing” (a blend of QR and phishing). Here’s how it works:
Phishing Emails with QR Codes: Deceptive emails containing QR codes instead of suspicious links are becoming more common. These QR codes, when scanned, can take you to malicious websites designed to steal your personal information, login credentials, or financial details.
Why QR Codes are Attractive for Phishing:
- Bypassing Link Caution: People are increasingly wary of clicking on suspicious links in emails. As people become more cautious of suspicious links in emails, criminals use QR codes to hide the URLs of malicious websites. This can trick even the wary user into scanning the code.
- Security Software Gaps: Many security tools that scan emails for phishing attempts may not analyze images. Consequently, a QR code leading to a malicious site can slip through undetected.
- Personal Device Vulnerability: Users are likely to scan QR codes using their personal phones, which often lack the robust security protections of corporate devices. This makes personal devices more vulnerable to attacks. Scanning a QR code often leads to a website accessed on your personal phone, which might lack the robust security measures found on work computers.
Best Practices for QR Code Safety
To ensure your safety when interacting with QR codes, consider the following tips:
- Trust Public Space QR Codes: The QR codes in reputable establishments like pubs and restaurants are generally safe to scan. Businesses have little incentive to expose their customers to malicious links.
- Exercise Caution in Open Spaces: Be cautious when scanning QR codes in open, unsupervised areas such as stations or car parks. Always be wary if you’re asked to provide extensive personal information following a scan.
- Beware of Email QR Codes: If you receive an email containing a QR code, treat it with suspicion. The rise of ‘quishing’ attacks means these codes could lead to malicious websites designed to harvest your data.
- Use Built-In QR Scanners: Rely on the QR scanner that comes with your smartphone. Avoid downloading third-party scanning apps from app stores, as these can sometimes be compromised.
- Scrutinize After Scanning: If the scanned website looks unprofessional or requests sensitive information, leave immediately and don’t enter any details.
- Beware of Follow-Up Scams: Phishing attempts might involve phone calls or further emails after scanning the code. Be alert to social engineering tactics designed to extract information.
By understanding the risks and exercising caution, you can continue to enjoy the convenience of QR codes without falling victim to cyberattacks. Remember, if something seems too good to be true, it probably is. Don’t hesitate to double-check the legitimacy of a QR code before scanning it.
Conclusion
QR codes are a valuable tool in our digital toolkit, but like all technology, they come with risks. By staying informed and adopting cautious practices, you can enjoy the convenience of QR codes while protecting yourself from potential cyber threats. Remember, a little vigilance goes a long way in ensuring your digital security.
References and Resources also include;
https://www.ncsc.gov.uk/blog-post/qr-codes-whats-real-risk
Additional Resources: Canadian Centre for Cyber Security – How to use QR codes safely: https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information