4-minute read time
A QR code, or quick response code, is a square matrix barcode that can be scanned using your smartphone’s camera. They can store more data than a traditional barcode, making them very versatile. However, they bring with them unique security risks. The tool is sometimes utilized by cybercriminals to increase their success rate, such as in a QR code phishing attack.
If you’re unfamiliar with QR codes, here is a one we created for you to try out (Please note: This QR code leads to one of our secure blog pages):
Scan our QR code above to learn more about phishing attacks.
Table of Contents
- How to Protect Your Business from QR Code Phishing
- How to Report QR Code Fraud
- Learn More About Phishing
QR Code Use Cases
When a QR code is scanned, it allows a user to quickly perform an action. Here are a few use cases you’re likely to encounter:
Websites & Apps
Many organizations use QR codes to direct a smartphone user to a website page or to download an app from Google Play or the Apple App Store. For example, a user may scan a QR code at their favorite restaurant to view their online menu or their reward system.
Digital Tickets
Users can easily access their airline boarding passes, concert tickets, and more with QR codes containing their personal information to gain entry.
Mobile Payments
QR codes can be used to send payment information during checkout as well as transferring money between users.
User Authentication
These codes can be used for two-factor authentication (2FA). Users simply scan a code to confirm their identity when logging into an account.
Uses for this little square code are seemingly endless, and their popularity has been growing steadily. Insider Intelligence reports that the number of users scanning a QR code “will increase from 83.4 million in 2022 to 99.5 million in 2025.”
While QR codes are powerful and convenient tools, they also pose a significant security risk to individuals and organizations. These risks make it essential that individuals know what to look for to avoid falling for a cybercriminal’s tactics.
Malicious Intent
QR codes can be malicious thanks to cybercriminals who have adopted them to exploit or harm users. Their goal is to compromise your sensitive information, such as:
- Your financial data
- Your login credentials
- Your personal information
One of the reasons this attack method is successful is because many people are completely unaware that they could be scammed when interacting with a code.
Types of QR Code Scams
Malware Distribution
Cybercriminals often use QR codes to direct users to malicious websites containing malware. Examples of malware include viruses, ransomware, spyware, and Trojans. Malware allows cybercriminals to accomplish a variety of goals, but generally center around these three tasks:
- Enabling attacker remote control to use an infected device
- Sending spam from infected devices to unsuspecting targets
- Review infected user’s local network
By navigating to a malicious site, users unwittingly give malware access to damage their device, their personal information, and more.
Payment Fraud
As previously mentioned, many organizations use QR codes to provide information to consumers. They also use them to collect payments for goods and services. For example, some parking meters use a code to direct consumers to a payment website.
In a payment fraud situation, a criminal covers up the organization’s original QR code with their fraudulent one. The code left by the cybercriminal will direct the user to their site – so the user pays them instead of the intended organization.
QR Code Phishing
Phishing attacks are initiated by cybercriminals attempting to gain personal information (e.g., login credentials, credit card numbers, etc.) by impersonating a reputable organization. This social engineering attack is often conducted through emails. However, other messaging tactics can be used – such as text messages (smishing) and phone calls (vishing).
Sometimes cybercriminals add a QR code to their phishing emails to direct users to a malicious site – instead of using links or buttons.
Phishing emails with QR codes make it impossible for users to verify the legitimacy of the site prior to visiting it and harder for security software to detect. These risks make it essential to know how to identify phishing emails and protect yourself, and your organization, from malicious QR codes.
Real-life QR Code Phishing Email Example We Intercepted:
Please note: We blurred out the QR code as a safety precaution.
Like other phishing methods, the messaging in this email tries to manipulate the email recipient:
- The email fraudulently poses as a well-known brand (Microsoft)
- It includes a sense of urgency (2 days to scan QR code)
- It provides a consequence for not following through with their request (account interruption)
These tactics increase cybercriminals’ success rate. So, ensure you take note when you receive an email that has high levels of immediacy and requests that you take action.
How to Protect Your Business from QR Code Phishing
Recently, our cybersecurity experts have seen a rise in QR code phishing emails being sent. To minimize your QR code risk, use good cyber hygiene to better protect yourself and your organization. Here’s 6 essential tips to share with your coworkers:
Do Not Scan Codes
The best way to mitigate risk is to not scan any QR codes – especially on business smartphones. Instead, navigate to the site you want to interact with or pay for goods and services directly.
Look Closely
If you are considering scanning a physical QR code (on a window, meter, sign, etc.), look closely at it to ensure that it has not been tampered with. Keep in mind that just because you verify it is the only code there, it does not mean that it is not malicious. A cybercriminal may have placed their code in a location where none previously existed.
Confirm QR Code Legitimacy
If you receive a code from someone you believe you know, reach out to them directly with their known contact information to verify it is safe and not from an cybercriminal (i.e., a phone number you use regularly to speak with them).
Review Web Address
Once you scan a QR code, review the web address to ensure it is the site you expect – with the proper spelling and punctuation.
Be Cautious with Personal Information
Think twice before entering personal information, login credentials, or financial information into a site that you navigated to from a QR code. If you receive a message that requests you complete a payment through a QR code, it’s safer to manually navigate to the organization’s website or call to process the payment.
Avoid Downloading Apps
Instead of downloading an app from a QR code, it is much safer to navigate to your phone’s app store. App stores have processes and systems in place to ensure apps are safe for download. In the same vein, avoid downloading QR code scanner apps. Use the one that comes with your phone’s operating system.
How to Report QR Code Fraud
If you or your organization experiences QR code fraud, report it to the FBI as soon as possible. To submit your report, contact your local FBI field office and the FBI Internet Crime Complaint Center.
Learn More About Phishing
Check out our ultimate phishing guide to learn more about other phishing attacks and how to boost your organization’s security.
