The ubiquity of QR codes is providing a massive opportunity for cybercriminals to “quish” people, and it’s easy to see why, says Sam Mayne, Product Solution Analyst, VIPRE Security Group.
QR codes have become a part of our daily lives – from parking spaces, ordering food in restaurants, and contactless payments. Scammers place fake QR codes in busy public areas (physical and online), such as shopping malls, charity websites, events, and beyond. QR codes are often embedded in phishing emails and fake social media ads to trick users into visiting malicious websites. Scammers are even using QR codes to trick crypto users into transferring funds to fraudulent wallets, leveraging the growing popularity of crypto investments.
Routinely people scan these codes without checking their origin, assuming they are legitimate. And understandably so. The ease of use and speed of transaction that it provides is the very reason for its popularity. The problem though is that there is no room for miscalculations and misapprehensions – one scan and the user is phished!
QR code verification
While QR codes are simple to scan, they are notoriously difficult to verify. Unlike suspicious links that users may be more cautious about, malicious QR codes can be seamlessly integrated into public spaces, emails, or websites, making their vicious intent and detection even more challenging. Once scanned, these codes redirect unsuspecting users to fake websites or initiate malware downloads without raising immediate alarm.
Most users use smartphones to access QR codes, and this gives criminals a further opportunity. With users using potentially less-secure devices such as tablets and smartphones, the threat actors are able to isolate the victim from machines where antivirus technologies are mostly installed. Also, criminals don’t need to include the actual malicious or phishing URL inside of their spam emails, which results in bypassing some email security protections that have URL scanners.
The convenience of QR codes comes with hidden risks. People should use them with a discerning eye, staying vigilant when encountering QR codes, especially during this holiday period. Scammers love to take advantage of the holiday hustle and bustle, luring unsuspecting victims with festive-themed quishing schemes of that “incredible holiday deal”, or some such offer. Individuals must take a moment to pause and scrutinise the QR code before scanning.
Foremost, individuals should opt for apps that can preview the URL linked to the QR code before they visit the site. This simple precaution allows the chance to inspect the destination and make an informed decision about whether it’s safe to proceed. Resisting the temptation to blindly scan a QR code, no matter how legitimate it might seem, is a good self-control.
People should also be wary of QR codes found on unsolicited mail, flyers, or in unusual locations. Scammers often use these methods to lure unsuspecting victims into their schemes. If an offer appears too good to be true, it’s best to err on the side of caution and avoid scanning the code altogether.
QR code safeguards
As businesses continue to embrace the convenience and versatility of QR codes, organisations must also take proactive steps to protect their operations and customers. Foremost, businesses should consider investing in technology solutions that provide deeper layers of QR code security, helping to verify the authenticity and security of QR codes in business operations. Technologies that can perform comprehensive scans of QR codes, analysing the underlying URLs and data, offer an essential safeguard against quishing threats. By incorporating these advanced security tools, businesses can bolster their defences and instill confidence in customers who use their QR codes.
Businesses should develop and enforce strict guidelines for the creation, distribution, and use of QR codes within the organisation. This includes establishing clear protocols for generating, sharing, and validating QR codes to ensure their legitimacy and traceability. By implementing these measures, they will minimise the chances of rogue or compromised QR codes infiltrating their operations.
Education, education, education! There is simply no replacement for this, no matter how advanced technology gets. Aside from regular training sessions for employees, especially as we approach the holiday period, coaching them on the risks of QR code phishing and the tactics used by malicious actors, in a hands-on manner is an exercise worth undertaking. For example, creating a QR code phish that appears within the context of the organisation or closely reflects the working of the business, could be a good way to test the susceptibility of employees to quishing. It will help to encourage a culture of caution when it comes to QR code usage.
By taking a multifaceted approach to QR code security, businesses can harness the benefits of this technology while mitigating the risks posed by quishing scams. Through employee education, policy enforcement, and the adoption of security solutions, organisations can build a robust defense against these evolving threats, protecting their operations, employees, and valued customers.
