Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

QR Code 101: What the Threats Look Like

Because QR codes can be used for phishing as easily as an email or text can, organizations must remain vigilant when dealing with them.

5 Min Read
Me, You & Thomas Watch Us on You Tube sticker with QR code on a Bristol BS8 street sign
Source: UrbanImages via Alamy Stock Photo

As QR codes have become ubiquitous, their proliferation has given rise to new and emerging security risks.

More than 80% of US-based QR code users said they think QR codes are safe, but only 37% of users could identify a malicious one, according to a recent report from Scantrust.

Fueled by such trust and by the widespread adoption of QR codes during the COVID-19 pandemic, QRishing (a fusion of "QR" and "phishing") involves crafting counterfeit QR codes that lead unsuspecting users to malicious websites, where sensitive information is sought and exploited by cybercriminals. This threat has thrived due to social engineering tactics — leveraging user trust, the ubiquity of QR code scanning, and the challenge of distinguishing genuine codes from fraudulent ones.

QRishing takes various forms, from affixing fake QR stickers over legitimate codes in commercial establishments to counterfeiting traffic fines with deceptive QR codes that harvest payment details or sensitive data. The scam also includes "reverse QR," where cybercriminals trick users into making unauthorized payments or sharing data via manipulated QR codes.

The success of QRishing hinges on exploiting user trust and the allure of fake discounts. Victims often get tricked into sharing malicious QR codes with their contacts, multiplying the risk.

Meanwhile, "QRLjacking" poses a rising threat, targeting services, such as WhatsApp, that rely on QR codes for logins to gain unauthorized access and access sensitive information.

QR Scams Have Global Impact

Raquel Puebla, cyber intelligence analyst at Entelgy Innotec Security, explains that QR attacks are executed all over the world. She points to a recent campaign in China in which attackers added fraudulent QR codes parking tickets left under windshield wipers.

These codes claimed to facilitate payment of the violation, when in fact they were collecting personal and banking information from the victims.

"In Germany, investigators were able to identify a campaign in which, through fraudulent emails containing QR codes, attackers contacted online banking customers and obtained sensitive information," she says.

A campaign recently affected the public transport services BiciMAD and Bicing in Madrid, Spain, in which fraudulent QR codes were attached to the bicycles of these services, she adds.

"They appeared to constitute a service of unlocking the bicycle in exchange for a certain monetary amount," she says. "Instead of unlocking the transport, the money passed into the hands of cybercriminals."

Mobile Phones Are Less Protected

Patrick Harr, CEO at SlashNext, points out that QR codes are a convenient way to spread mobile-based phishing campaigns and that many mobile phones do not have phishing protection.

"Many companies that offer QR code and short code creation have security to prevent hackers from using their service to create malicious QR codes," he says. "However, there are still many services that hackers can use, so it's important to have mobile protection against malicious links."

Mobile phones provide bad actors with access to corporate accounts, banking information, and other personal data, he adds.

In addition to sending users to websites that phish their credentials, attack their devices with client-side exploits, or entice them to download malicious apps, techniques such as QRLJacking allow attackers to perform account hijacking for apps that use a QR code for login, says Georgia Weidman, security architect at Zimperium.

"There are many legitimate uses for QR codes — in fact, many [multifactor authentication] apps use them for setup, and we all know the value MFA lends to keeping our accounts secure," she says. "However, there is no message authentication code or otherwise in QR codes to verify that an attacker hasn't replaced your organization's QR code with a malicious one."

Adds Harr: "It's important for organizations to have mobile protection against malicious links because, given the proliferation of QR codes in our daily life, it's becoming impractical to avoid them completely."

Train People to Parry QR Attacks

Itxaso Reboleiro, cyber intelligence analyst at Entelgy Innotec Security, says awareness is always the starting point to fend off a cyberattack that uses social engineering tactics.

"Companies should establish small training sessions and bulletins in which employees are kept abreast of the latest developments in cyber threats," she says.

In the case of QRishing, organizations should advise employees not to scan QR codes pasted into emails of dubious origin or posted in random places, such as public roads because cybercriminals take advantage of busy places to capture a greater number of victims.

QR readers can show users the URL of a website before taking them there, Reboleiro explains.

"In this way, employees can be sure of the content hosted by the redirect before accessing the content or entering sensitive information," she says.

Users should immediately close the website if, after scanning a QR code, they notice that the pages displayed appear to be unrelated to the expected content, Reboleiro adds. They should not enter personal data or credentials into such sites, even if requested, either.

"Employees should promptly notify their managers or the company's cybersecurity staff to take appropriate security measures," she says.

From Weidman's perspective, the best plan is to train employees on the security implications of QR codes, so they are using their security awareness thinking caps while interacting with them in the wild. For example, the Open Web Application Security Project (OWASP) includes technical details on how QRLJacking works and ways to mitigate the risks of QRL code attacks in apps.

"If your organization uses QR codes for authentication, it is important to be aware of the kinds of attacks that attackers are using and to implement mitigation strategies for them," Weidman says.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights