Think twice before scanning the hidden dangers of QR codes.

Think twice before scanning the hidden dangers of QR codes.(Source – Shutterstock).

QR code logos are not just convenient – they’re also a hacker’s gateway

  • Their growing use in cybercrime now overshadows the convenience of QR code logos.
  • Easy digital access via QR codes is increasingly exploited for phishing and scams.
  • Rising cybersecurity threats demand caution, so balance the convenience of QR codes.

QR codes have seamlessly integrated into our daily lives, appearing on everything from advertising billboards to product packaging, and from restaurant menus to event tickets. They provide an easy way for people to access information, process payments, and engage with digital content.

Raghav Kapoor & Shyava Tripathi of Trellix highlight that people’s growing trust in QR codes, fostered during the Covid-19 pandemic for functions like contactless payments, has made people scan them readily. But cybercriminals thrive whenever there are points of trust in a system or a process. Our trust in QR codes allows cybercriminals to embed malicious links inside the codes or redirect users to fake websites. There is an expectation that QR codes may be increasingly used to distribute recognized malware.

QR code logos: a tool for cybercriminals

The ease with which QR codes can be created and distributed has lowered the barriers to initiating phishing or malware campaigns. The subsequent ease with which the QR codes can have harmful links embedded in them has created a cost-effective and accessible tool for cybercriminals. Moreover, the discreet nature of QR code attacks often leaves users unaware until the damage is done, complicating detection and prevention efforts.

Conventional email security systems frequently miss these QR code attacks, making them increasingly appealing to cybercriminals; as attackers refine their methods and create more convincing phishing schemes, the likelihood of their success increases. Users must remain vigilant when scanning QR codes from uncertain or dubious sources.

Although QR codes are common in physical spaces and consumer products, they are less prevalent in emails. This is primarily because people often view emails on mobile devices, where scanning a QR code from the same device is impractical. As a result, most emails use traditional hyperlinks. But a trend of incorporating QR codes in emails is emerging, and attackers are beginning to exploit it.

The security challenges posed by QR codes are substantial. Unlike traditional hyperlinks, which often allow users to preview or evaluate the destination’s risk, QR codes are less transparent. Deciphering and analyzing them requires sophisticated computer vision technology, which demands significant resources and investment. This complexity introduces a unique challenge for security systems. The nature of QR codes means the destination remains unknown until scanned, creating a security risk that is more difficult to manage than with standard hyperlinks.

Public warnings and reports on QR code attacks

The Federal Trade Commission (FTC) recently issued a warning in a consumer alerts blog, advising against scanning QR codes without due caution. Quite what ‘due caution’ looks like, given the opacity of result and destination of a QR code is less than entirely clear. The FTC warning though stems from concerns about security and privacy. Malicious actors can strategically place QR codes or send them through texts or emails, passively waiting to harvest sensitive data, money, or login details.

The New York Times reports that John Fokker, head of threat intelligence at Trellix, said that over ‘60,000 samples of QR code attacks’ were found in the third quarter of this year alone. The report also noted that these scams frequently involved impersonating payroll, HR personnel, and postal scams. In early 2023, police in several Texas cities reported finding fraudulent QR codes on parking meters, redirecting them to fake payment sites.

The Hoxhunt Challenge recently revealed concerning trends in employee susceptibility to phishing attacks, emphasizing the need for heightened engagement to reduce human risk. The study, encompassing 38 organizations across nine industries in 125 countries, discovered that 22% of phishing attacks in early October 2023 used QR codes to deploy harmful content.

The Challenge grouped employee reactions into three categories: successful identification, missed threats, and clicking/scanning. A mere 36% of recipients could correctly identify and report the simulated attack, indicating a significant vulnerability in most organizations. The retail sector had the highest rate of missed threats, while legal and business services were more proficient in spotting and reporting dubious QR codes.

Job roles also influenced susceptibility, as highlighted by the Challenge. Communications staff were 1.6 times more likely to interact with a QR code attack, whereas legal professionals exhibited the highest vigilance.

Scammers’ tactics and precautions to take

In addition to the insights from the Hoxhunt Challenge, there have been cases where scammers have overlaid legitimate QR codes on parking meters with fraudulent ones. They might also send QR codes via text or email, concocting various pretexts for scanning. These deceptive tactics include falsely claiming delivery issues, account problems, or suspicious activity, all aimed at creating urgency and tricking users into scanning without due diligence.

Scammers’ QR codes often lead victims to spoofed websites that appear legitimate, where any entered login information can be stolen. Alternatively, these QR codes might install malware capable of stealthily extracting personal data.

Beware of the latest scam trend - qr code logos.

Beware of the latest scam trend. (Source – X)

To protect yourself, exercise caution with QR codes in unexpected places and carefully examine the URLs to which they lead. Be skeptical of QR codes in unsolicited emails or texts, especially if they demand immediate action. Verify the legitimacy of such messages through known, reliable methods. Keep your phone’s operating system updated and secure your online accounts with strong passwords and multi-factor authentication.

While convenient and ubiquitous in our digital age, QR code logos present a growing security concern. The ease of their creation and the public’s growing trust in them has made QR codes a new frontier for cybercriminals. As these attacks become more sophisticated and more challenging to detect, individuals and organizations must exercise increased vigilance. Staying informed and alert is vital in navigating this evolving landscape of digital security threats posed by QR codes. The collective responsibility to safeguard data and privacy in the face of such challenges is more critical now than ever.