QR codes have become an integral part of our everyday life due to their simplicity. While they’ve been around for many years, their use exploded during the COVID-19 pandemic, when businesses turned to them for contactless menus, payments, and check-ins.
While QR codes are convenient, they also present significant risks. In the past few years, cybercriminals have increasingly turned to these codes as a tool to carry out scams.
QR code security risks
The main problem with QR codes is that users can’t always verify the source before scanning. Since they can link to websites or other data, scammers can hide dangerous links or malware in them.
A term used to describe phishing attacks that involve QR codes is quishing.
Quishing attacks differ from traditional phishing scams in the way the malicious link is delivered. Instead of a standard text-based link in an email, attackers embed the link within a QR code. When a user scans the code, their device reads the embedded URL and directs them to the fraudulent website.
Help Net Security recently wrote about scammers who have used QR codes in physical letters to distribute Android malware.
Tampering with physical QR codes by replacing legitimate ones in public places—such as restaurant tables, parking meters, posters, or flyers—is a technique that has been growing in recent years. Last year, the RAC issued a warning to motorists in the UK about parking lot fraud, where fake QR code stickers were used to mislead them into paying fees on phishing web page, stealing their payment card credentials.
How to recognize and avoid malicious QR codes
Be cautious of QR codes in public places or in the mail: A QR code in a public place or one that arrives in the mail could have been placed by a scammer, so don’t scan anything that seems out of place.
Avoid entering sensitive information: Avoid sites accessed through a QR codes that request personal details, login credentials, or payment information.
Watch out for tampering: Scammers often place fake QR code stickers over real ones, especially on posters, menus, or public kiosks. If something looks suspicious, it might be a sign of a scam, so it should be best to not scan at all.
Manually enter URLs: If a QR code is supposed to take you to a well-known website, type the URL manually instead of scanning.
Use security apps to scan QR codes: Some apps can analyze QR codes for potential threats, warning you if a code leads to a suspicious website.
How can businesses secure QR codes
With QR code scams on the rise, businesses need to take proactive steps to protect their customers and brand reputation. Here are a few measures they can implement:
Use dynamic QR codes with expiration dates: Dynamic QR codes can be set to expire after a certain time, making it much harder for scammers to exploit them.
Implement URL shorteners with verification: Some URL shortening services offer built-in verification to ensure that links are directing users to legitimate websites. This adds an extra layer of security.
Monitor QR code usage: By tracking scan activity, businesses can detect unusual patterns, such as scans from unfamiliar locations or odd hours. Identifying these early can help stop fraud before it happens.
Add security markers to QR codes: Adding watermarks, logos, or other branding on QR codes can help customers distinguish legitimate codes from tampered ones.
Businesses can also improve security by using QR code scanners with security features and web-based link checkers like VirusTotal to detect potential threats.