QR codes have become commonplace in both our personal and business lives, from ordering a meal at a restaurant to entering a competition, downloading a document or even making a payment.
Whilst making life quicker and simpler and providing a useful tool for businesses, QR codes also offer yet another avenue for cyber criminals to infiltrate your world.
Here we explore the risks and share some top tips on protecting against the threats they present.
The risks of using QR codes
As QR codes have become more prevalent, criminals have found ways to use them in phishing attacks and to spread malware. Since legitimate QR codes appear as a random scramble of pixels within a larger square, it can be difficult to identify whether a code is genuine and safe or malicious.
Your business could be exposed to cyber risks from QR codes in a couple of ways:
- An employee unwittingly scans a malicious QR code
- A legitimate QR code created by your business is manipulated by cyber-criminals
The National Cyber Security Centre (NCSC) has published the following examples which highlight the emerging risks associated with QR codes:
- Most people are now suspicious of dubious-looking links in emails and are (correctly) cautious of clicking on shortened links. Criminals are therefore using QR codes to disguise the links to malicious websites that phishing emails contain
- Not all security tools designed to detect phishing emails will scan images, so a QR code directing the user to a malicious website might slip through the net
- Users are more likely to use their personal phone to scan the QR code. Personal devices may not have the same security protections as a computer that’s provided by your employer
These vulnerabilities can lead to significant financial and reputational damage, so it is essential for to be aware of and mitigate these risks.
QR code cyber threats
Once a fraudulent QR code is scanned, a user may be at risk from:
- Quishing — a form of phishing where the cyber-criminal seeks to steal an individual’s credentials, passwords or other personal data after a user accesses the website through the malicious QR code. The cyber-criminal may use social engineering techniques in order to trick a user into thinking the website is legitimate and, therefore, safe to enter their sensitive information. The NCSC is seeing an increase in these types of ‘quishing’ attacks
- QRLjacking — a cyber-criminal spreads malware to an individual’s devices after a fraudulent QR code directs the user to a malicious URL
- Device hacking — under certain circumstances, a malicious actor may be able to access a user’s device if they scan a fraudulent QR code. The hacker then may be able to place a call, send a text or make a payment from the compromised device
Mitigating the risks of QR Codes
As cyber-criminals increase their use of QR codes, it is essential to mitigate the risks associated with them. Strategies include the following:
- Provide continuous education to employees on the latest cyber-threats and dangers connected to QR codes and issue guidance not to scan QR codes if they are unsure of their origin
- Be cautious when scanning QR codes and double-check the web address of the site the code is directing you to
- Install security software with content filtering that inspects links and attachments and blocks access to suspicious items
- Utilise multifactor authentication (MFA) to add a layer of protection in case employee passwords or credentials have been compromised
Using QR codes safely
QR codes can be a great tool for businesses and there are steps you can take to reduce the risk of cyber criminals compromising the codes you share with your clients and the wider world.
Techniques to consider include:
- Using a reputable QR code generator
- Customise the QR code to include the company’s branding
- Test the QR code before distributing it
- Ensure the linked website or document is strongly encrypted and has visible indications of SSL protection
For more information on protecting your business, talk to our cyber team.