There are several ways cybercriminals could leverage QR codes for their own malicious objectives. One method would be to hack into a business’s website and replace the QR code with their own. With QR codes looking so similar, a swapped code would be incredibly hard to spot. Scanning this code could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or social media accounts for example. It could also lead users to a less legitimate app store where they might unknowingly download a malicious app containing a virus, spyware, trojan, or other type of malware which could lead to data theft, privacy breach (GPS or contact list stolen, calls / messages being intercepted), ransomware extortion, or sometimes cryptomining.
Another cybercriminal technique is a honeypot. Threat actors could set up an unsafe Wi-Fi network promising free internet to anyone that scans their QR code. Once a device is connected, hackers can eavesdrop or intercept the data being shared, and steal personable identifiable information, confidential business information, online banking credentials, and credit card information. With remote working likely to continue, it is important we are all aware of such methods and only log into secure Wi-Fi networks.
QR codes: think before you scan
How can we protect ourselves? To the naked eye, there is no way to tell if a QR code is being abused by cybercriminals, but there are many precautions one can take to avoid falling victim.
Business owners and IT administrators need to carry out regular integrity checks on their sites and apps to ensure the code and link they are providing is what they intend. They can do this by regularly scanning the code to check if the link within the QR code is correct. They need to check both the web and mobile browser version, as cybercriminals have been known to only compromise the latter to reduce the chance of detection.
Employers should also provide personnel with cybersecurity training to make them aware of the risks to the organisation as well as themselves. These include using strong and unique passwords for both personal and work accounts, setting up multi-factor authentication, and identifying phishing emails as well as unsafe virtual environments. As many employees continue working from non-corporate environments, cyber awareness training will equip remote workforce with knowledge and awareness to make sensible decisions, preventing attackers from gaining access to any personal and corporate networks, devices, and data.
We’ve all been taught to ‘think before we click’ on a suspicious link or email, but now it’s time to revisit this for QR codes – so think before you scan. Don’t scan a QR code if you don’t know where it will lead, and preview the website and domain name to ensure it’s where you expected to be directed to. There are many secure QR code scanning apps which allow users to preview websites before they visit them. Many browsers also allow users to disable automatic redirects to websites to allow individuals to check the URL domain to decide if it is trustworthy providing extra insight before taking action.
Make sure you only download apps from trusted sources such as Apple’s App Store or Google Play Store too. And continuously update all smart devices to benefit from the latest security protections.
In summary, my key takeaways are:
1- Think before you scan
2- Check after you scan
3- Be aware and alert
