Quick response (QR) codes are a popular marketing, sales, payment and customer service tool for several businesses. However, as the presence of QR codes has become more prevalent, malicious actors have found ways to use them in phishing attacks and to spread malware.
These vulnerabilities can lead to significant financial and reputational damage, and it is essential for businesses to be aware of and mitigate these risks. This article provides more information on QR codes and their risks and offers tips on addressing the hazards they present.
What are QR codes?
QR codes are a series of pixels arranged to form a large square that contains a long string of data. They function similarly to a barcode. They can be scanned by code readers or smartphones and often contain URLs so individuals can access websites without having to type in a specific web address. Once scanned, QR codes allow a quick and convenient way for clients to access a business’s information or leave a review. They can also be used to prompt users to take certain actions, such as making a payment or downloading an app.
QR codes can be placed on various items such as posters, flyers, menus or billboards. They can also be included as images in digital communications sent through email or messaging apps.
The risks of QR codes
Although they can be a useful tool, the nature of QR codes allows them to be exploited by cybercriminals. Since legitimate QR codes appear as a random scramble of pixels within a larger square, it can be difficult for users to differentiate between the safe and malicious ones. Additionally, QR codes may be standalone images, so they may not be accompanied by telltale signs of malicious activity, as is often the case with fraudulent emails (e.g., misspellings, suspicious links).
Businesses encounter risks from QR codes in a couple of ways: They are exposed to cybersecurity threats if an employee scans a malicious QR code, and if a company utilizes QR codes for business purposes, their legitimate codes can be manipulated by cybercriminals, potentially impacting their customers and their business’s reputation.
Examples of how cybercriminals can exploit QR codes include:
- Replacing or tampering with QR codes — Malicious actors may place their counterfeit QR code over a legitimate one or alter a legitimate one.
- Placing QR codes in high-traffic areas or in strategic locations — Cybercriminals may place QR codes in high-traffic areas or near places where it might seem connected to a location or object (e.g., on a parking meter). Curious passersby or those thinking the QR codes serve a safe function (e.g., paying for parking) may then scan the malicious code.
- Sending fraudulent QR codes in an email or through an app — Malicious actors may include a QR code in digital communication with language accompanying it to make the code seem legitimate.
Once the fraudulent QR code is scanned, a user may be vulnerable to various security issues, including:
- Quishing — This is a form of phishing where the cybercriminal seeks to steal an individual’s credentials, passwords or other personal data after a user accesses the website through the malicious QR code. The cybercriminal may use social engineering techniques in order to trick a user into thinking the website is legitimate and, therefore, safe to enter their sensitive information.
- QRLjacking — This involves a cybercriminal spreading malware to an individual’s devices after a fraudulent QR code directs the user to a malicious URL.
- Device hacking — Under certain circumstances, a malicious actor may be able to access a user’s device if they scan a fraudulent QR code. The hacker then may be able to place a call, send a text or make a payment from the compromised device.
Mitigating the risks of QR codes
As cybercriminals increase their use of QR codes, it is essential for businesses to mitigate the risks associated with them. Strategies include the following:
- Provide continuous education to employees on the latest cyberthreats and dangers connected to QR codes.
- Carefully examine QR codes to ensure they were not tampered with or altered before scanning them.
- Be cautious when scanning QR codes and double-checking the web address of the site they direct to.
- Install security software with content filtering that inspects links and attachments and blocks access to suspicious items.
- Maintain strict access controls to limit damage from malicious actors if they obtain login credentials.
- Utilize multifactor authentication systems to add a layer of protection to business systems in case employee passwords or credentials have been compromised.
- Advise employees not to scan QR codes if they are unsure of their origin.
- Keep all devices updated and patched.
- Disable automatic QR code scanning on devices.
- Review default settings and permissions regarding the sharing of sensitive information.
- Train employees on how to safely use their technology in a bring-your-own-device environment.
- Reduce the use of QR codes in electronic business communications to disincentivize cybercriminals from using them to target customers.
Businesses wishing to use QR codes can also take steps to protect their customers. Techniques to consider include:
- Using a reputable QR code generator
- Customizing the QR code to include the company’s branding
- Testing the QR code before distributing it
- Ensuring the linked website is strongly encrypted and has visible indications of SSL protection
Conclusion
QR codes provide a useful function, but they can also serve as an entry point for malicious individuals to steal credentials, insert harmful software, and compromise the security of an organization and its customers. This can lead to significant financial losses and reputational damage. By implementing risk reduction strategies, companies can protect their business, employees and clients.
For more information on these and other cybersecurity-related questions, please contact your Preferred Loss Control Consultant.
This Cyber Risks & Liabilities document is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. ©2023 Zywave, Inc. All rights reserved.