A QR code, or quick response code, is a square matrix barcode that can be scanned using your smartphone’s camera. They can store more data than a traditional barcode, making them very versatile. However, they bring with them unique security risks. The tool is sometimes utilized by cybercriminals to increase their success rate, such as in a QR code phishing attack.
Table of Contents
QR Code Use Cases
When a QR code is scanned, it allows a user to quickly perform an action. Here are a few use cases you’re likely to encounter:
1. Websites & Apps
Many organizations use QR codes to direct a smartphone user to a website page or to download an app from Google Play or the Apple App Store. For example, a user may scan a QR code at their favorite restaurant to view their online menu or their reward system.
2. Digital Tickets
Users can easily access their airline boarding passes, concert tickets, and more with QR codes containing their personal information to gain entry.
3. Mobile Payments
QR codes can be used to send payment information during checkout as well as transferring money between users.
4. User Authentication
These codes can be used for two-factor authentication (2FA). Users simply scan a code to confirm their identity when logging into an account.
Uses for this little square code are seemingly endless, and their popularity has been growing steadily. Insider Intelligence reports that the number of users scanning a QR code “will increase from 83.4 million in 2022 to 99.5 million in 2025.”
QR Code Security Risks
While QR codes are powerful and convenient tools, they also pose a significant security risk to individuals and organizations. Because they’re being used more often, QR codes create a sense of legitimacy in our minds. This risk is amplified by:
- Most people being unaware that they could be scammed when interacting with a code.
- It’s difficult for people to discern the legitimacy of the URL or action embedded within the code before scanning it.
- The social engineering tactics being employed (such as urgency or tempting offers).
That’s why your employees must know what to look for to avoid falling for a hacker’s tactics – making security awareness training a must.
Malicious Intent
QR codes can be malicious thanks to cybercriminals who use them to exploit or harm users. This fake QR code technique is also called quishing scams, QR phishing, or a quishing attack. Their goal is to compromise your sensitive information, such as:
- Your financial data
- Your login credentials
- Your personal information
Types of QR Code Scams
1. Malware Distribution
Once a fake QR code is scanned with a mobile device, it can lead to fake login pages where users are prompted to enter sensitive information, potentially leading to identity theft. Or, the user might unknowingly be downloading malware that compromises their device – like viruses, ransomware, spyware, and Trojans.
This malware allows them to accomplish a variety of goals, but generally centers around these three tasks:
- Enabling the attacker to remote control to use an infected device.
- Sending spam from infected devices to unsuspecting targets.
- Reviewing the infected user’s local network.
By navigating to a malicious site, users unwittingly give malware access to their devices, their personal information, and more.
2. Payment Fraud
As previously mentioned, many organizations use QR codes to give information to consumers. They also use them to collect payments for goods and services. For example, some parking meters use a code to direct consumers to a payment website.
In a payment fraud situation, a criminal covers up the organization’s original QR code with their fraudulent one. The code left by the bad actor will then direct the user to their malicious website – so the user pays them instead of the intended organization.
3. QR Code Phishing
This social engineering attack occurs through emails. Quishing emails add a QR code to their traditional phishing attacks to direct users to a malicious site. They do this in place of a malicious link or button.
Phishing emails that include QR codes make it difficult for users to check if a site is legitimate before they visit it. Additionally, they make it tougher for security software to detect any issues.
These risks make effective email security essential.
Real-life QR Code Phishing Email Example We Intercepted:
Like other phishing methods, the messaging in this email tries to manipulate the email recipient:
- The email fraudulently poses as a well-known brand (Microsoft)
- It includes a sense of urgency (2 days to scan QR code)
- It provides a consequence for not following through with their request (account interruption)
These tactics increase cybercriminals’ success rate. So, ensure you take note when you receive an email that has high levels of immediacy and requests that you take action.
How to Protect Your Business from QR Phishing
Recently, our cybersecurity experts have seen a rise in QR code phishing emails being sent. To minimize your QR code risk, use good cyber hygiene to better protect yourself and your organization. Here’s 6 essential tips to share with your coworkers:
1. Do Not Scan Codes
The best way to mitigate risk is to not scan any QR codes – especially on business smartphones. Instead, navigate to the site you want to interact with or pay for goods and services directly.
2. Look Closely
If you are considering scanning a physical QR code (on a window, meter, sign, etc.), look closely at it to ensure that it has not been tampered with. Keep in mind that just because you verify it is the only code there, it does not mean that it is not malicious. A cybercriminal may have placed their code in a location where none previously existed.
3. Confirm QR Code Legitimacy
If you receive a code from someone you believe you know, reach out to them directly with their known contact information to verify it is safe and not from an cybercriminal (i.e., a phone number you use regularly to speak with them).
4. Review Web Address
Once you scan a QR code, review the web address to ensure it is the site you expect – with the proper spelling and punctuation.
5. Be Cautious with Personal Information
Think twice before entering personal information, login credentials, or financial information into a site that you navigated to from a QR code. If you receive a message that requests you complete a payment through a QR code, it’s safer to manually navigate to the organization’s website or call to process the payment.
6. Avoid Downloading Apps
Instead of downloading an app from a QR code, it is much safer to navigate to your phone’s app store. App stores have processes and systems in place to ensure apps are safe for download. In the same vein, avoid downloading QR code scanner apps. Use the one that comes with your phone’s operating system.
7. Keep Devices Secure
Keeping your devices secure is crucial, especially in the context of QR code phishing, where attackers may use sophisticated methods to exploit any security gaps. Here’s how:
- Use spam filters and enable MFA to strengthen your email security.
- Set your antivirus software to automatically scan your devices regularly.
- Regularly update all software, including your operating system, browser, and any installed apps.
- Where possible, enable automatic updates to ensure that you’re always running the latest versions of software and security patches.
8. Staff Training
One of the most important ways to protect data is through training. Monthly security awareness training should be provided. Make sure it includes the risks associated with QR codes and other social engineering threats. This will help individuals and employees recognize and avoid quishing attacks.
How to Report QR Code Fraud
If you or your organization experiences QR code fraud, report it to the FBI as soon as possible. To submit your report, contact your local FBI field office and the FBI Internet Crime Complaint Center.
Learn More About Social Engineering Attacks
There are many types of social engineering tactics hackers use that employees at your organization need to know about. Make sure your organization is providing regular security awareness training and simulated phishing campaigns to protect your data.
Check out our social engineering guide to learn more.
