Skip to content

Scanners Beware: The Cyber Security Challenges of QR Codes

Kim Drinkall October 10, 2023
This Blog Contains a QR Code for Free Ice Cream

From scanning to access restaurant menus to finding out ‘more information’ on television adverts, the power of QR codes is undeniable. In fact, during the 2023 Super Bowl, over 20 million people scanned a QR code on a Coinbase commercial in under a minute and crashed the website. The Covid-19 pandemic made QR codes commonplace as the preferred contactless method, and we’ve become conditioned to scan these images without a second thought. However, in recent months, it has become apparent that we should be having second thoughts about what we’re scanning, and when, in order to protect ourselves.  

How do QR Codes Work? 

QR code, or quick response code, is a square barcode comprised of a set of black dots that represent binary code. The code creates a unique pattern that cameras can recognise and direct the scanner to any link, website, or even electronic payment that the creator deems fit. This is an open-source service that anyone can use. 

Common Scams 

Quishing, or QR code phishing, is a technique where attackers use QR codes to redirect users to either trick them into giving up their personal information, lead them to malicious websites, or download malware onto their mobiles. These dangerous QR codes can then be posted, emailed, or even pasted over safe QR codes. 

Lowering Defences

One of the reasons this phishing style has become successful is that many computers are protected with security measures such as antivirus/antimalware software. However, prompting a victim to move to their mobile opens an opportunity with less heavy protection for the cybercriminal to break through, and unfortunately, there’s a lot of information stored on our personal devices. 

Growing Business Landscape Threats

In recent months, QR codes have been found in several business email phishing campaigns. In fact, these types of attacks have increased over 2400% since May of this year. These campaigns have frequently been disguised as some sort of Multi-Factor Authentication (MFA) update or password update from a spoofed reputable source. These links take the victim to a spoofed website where they are tricked into giving up their login information or other valuable data. 

Everyday Application

It’s not just business emails that are at risk. In one example, a woman saw a sign on the window of a bubble tea shop where they offered a free bubble tea for a filled-out survey. Thinking it was a good deal, the woman downloaded the app that the QR code linked to and filled out the survey. That night, £16,500 was stolen from her bank account via the malware she had unwittingly downloaded onto her phone earlier that day from the QR code. 

Stopping the Pattern 

So how are these cybercriminals getting away with it? The nature of a QR code being within an image means gateways that scan text for malicious URLs cannot currently detect nefarious links within the image code or within an attachment. However, several services are working to expand their services to include this kind of functionality.  

How to Avoid These Scams 

There is no way to completely protect yourself from cyberattacks, but doing everything you can to protect yourself and your business is integral to success. Ways to build up your protection include: 

  • Enforcing strong policies like password hygiene and MFA 
  • Antimalware software 
  • Email protections like:
    • Antispam filters
    • Blacklisting 
    • Email security services 

How to Recognise Phishy QR Codes 

The most important part of protecting yourself and your business is educating yourself and those around you on recognising and avoiding phishing attempts. Like other phishing styles, QR code phishing has common indicators. Watch for: 

  • Receiving an email containing a QR code (businesses that want you to update information will send links) 
  • QR codes from unfamiliar sources or spoofed reputable sources 
  • Language evoking a sense of urgency 
  • QR codes that direct you to update sensitive information like MFA details, passwords, or payment

Phishing Field Guide Download 

What to Do If You've Been Quished 

If you suspect you’ve scanned a malicious QR code, report the incident to the proper authorities so they can investigate and hopefully stop the scammer from getting further victims. Next, keep an eye on your personal information, including finances, to watch for potential fallout. 

Stay Vigilant 

The cyberattack landscape is constantly evolving. Staying on top of new methods and learning everything you can is a great way to protect yourself and your business. If you want to learn more about phishing methods and how to protect yourself, download our Phishing Field Guide. Remember, we are our best defence. Think twice before you scan or click!