Understanding the Cyber-security Risks of QR Codes
Quick response (QR) codes are a popular marketing, sales, payment and customer service tool for several businesses. However, as QR codes have become more prevalent, malicious actors have found ways to use them in phishing attacks and to spread malware.
These vulnerabilities can lead to significant financial and reputational damage, so it is essential for organisations to be aware of and mitigate these risks. This article provides more information on QR codes and their risks and offers tips on addressing the hazards they present.
What Are QR Codes?
QR codes are a series of pixels arranged to form a large square that contains a long string of data. They function similarly to a barcode. They can be scanned by code readers or smartphones and often contain URLs so individuals can access websites without having to type in a specific web address. Once scanned, QR codes allow a quick and convenient way for clients to access a business’s information or leave a review. They can also be used to prompt users to take certain actions, such as making a payment or downloading an app. QR codes can be placed on various items such as posters, leaflets, menus or billboards. They can also be included as images in digital communications sent through email or messaging apps.
The Risks of QR Codes
Although they can be a useful tool, the nature of QR codes allows them to be exploited by cyber-criminals. Since legitimate QR codes appear as a random scramble of pixels within a larger square, it can be difficult for users to differentiate between the safe and malicious ones. Additionally, QR codes may be standalone images, so they may not be accompanied by telltale signs of malicious activity, as is often the case with fraudulent emails (eg misspellings, suspicious links).
Cyber-risks & Liabilities Organisations encounter risks from QR codes in a couple of ways: They are exposed to cyber-security threats if an employee scans a malicious QR code, and if a company utilises QR codes for business purposes, their legitimate codes can be manipulated by cyber-criminals, potentially impacting their customers and their business’s reputation.
Examples of how cyber-criminals can exploit QR codes include:
- Replacing or tampering with QR codes—Malicious actors may place their counterfeit QR code over a legitimate one or alter a legitimate one.
- Placing QR codes in high-traffic areas or in strategic locations—Cyber-criminals may place QR codes in high-traffic areas or near places where they might seem connected to a location or object (eg on a parking meter). Curious passersby or those thinking the QR codes serve a function (eg paying for parking) may then scan the malicious code.
- Sending fraudulent QR codes in an email or through an app—Malicious actors may include a QR code in digital communication with language accompanying it to make the code seem legitimate.
Once the fraudulent QR code is scanned, a user may be vulnerable to various security issues, including:
- Quishing—This is a form of phishing where the cyber-criminal seeks to steal an individual’s credentials, passwords or other personal data after a user accesses the website through the malicious QR code. The cyber-criminal may use social engineering techniques in order to trick a user into thinking the website is legitimate and, therefore, safe to enter their sensitive information.
- QRLjacking—This involves a cyber-criminal spreading malware to an individual’s devices after a fraudulent QR code directs the user to a malicious URL.
- Device hacking—Under certain circumstances, a malicious actor may be able to access a user’s device if they scan a fraudulent QR code. The hacker then may be able to place a call, send a text or make a payment from the compromised device.
Mitigating the Risks of QR Codes As cyber-criminals increase their use of QR codes, it is essential for organisations to mitigate the risks associated with them. Strategies include the following:
- Provide continuous education to employees on the latest cyber-threats and dangers connected to QR codes.
- Carefully examine QR codes to ensure they were not tampered with or altered before scanning them.
- Be cautious when scanning QR codes and double-checking the web address of the site they direct users to.
- Install security software with content filtering that inspects links and attachments and blocks access to suspicious items.
- Maintain strict access controls to limit damage from malicious actors if they obtain login credentials.
- Utilise multifactor authentication systems to add a layer of protection to business systems in case employee passwords or credentials have been compromised.
- Advise employees not to scan QR codes if they are unsure of their origin.
- Keep all devices updated and patched.
- Disable automatic QR code scanning on devices.
- Review default settings and permissions regarding the sharing of sensitive information.
- Train employees on how to safely use their technology in a bring-your-own-device environment.
- Reduce the use of QR codes in electronic business communications to disincentivise cyber-criminals from using them to target customers.
Organisations wishing to use QR codes can also take steps to protect their customers. Techniques to consider include:
- Using a reputable QR code generator
- Customising the QR code to include the company’s branding
- Testing the QR code before distributing it
- Ensuring the linked website is strongly encrypted and has visible indications of SSL protection.
Conclusion
QR codes provide a useful function, but they can also serve as an entry point for malicious individuals to steal credentials, insert harmful software, and compromise the security of an organisation and its customers. This can lead to significant financial losses and reputational damage. By implementing risk reduction strategies, companies can protect their business, employees and clients. Contact us today for more information and risk management solutions.