QR Code Security Risks: What You Need To Know About Quishing

Summary: This 3-minute article explores the new popularity of QR codes in all kinds of businesses, the risks involved and the cyber defense solutions required to protect SMBs from quishing attacks. For more detailed information about this increasing threat, contact DIGIGUARD Cyber Security at https://www.digiguardsecurity.com/ to discuss the best comprehensive cyber security for your SMB.

When the pandemic hit the world, QR (Quick Response) codes came to the rescue with technologically astute “contactless” business functions available through smartphones. Businesses such as restaurants did not have to disinfect or throw out menus. Instead, diners could now browse, order and pay for meals without passing credit cards or menus back and forth. QR codes have become very user-friendly too. Most smartphone cameras can automatically scan the codes and direct the user to the associated website.

However, in the IT world, almost everything invented to make life easier comes with cyber security risks. Easy access for users unfortunately means easier access for hackers to breach their private data. Legitimate businesses that operate with QR codes will not abuse their use. But cybercriminals know that QR scanning with a smartphone allows access to the device and have found ways to capitalize on this vulnerability.

Fake QR Codes

A phishing attack launched with the fraudulent use of QR codes is called “quishing.” The FBI (https://www.ic3.gov/Media/Y2022/PSA220118) warned about QR codes: “…cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use.” Here are some ways hackers approach QR code phishing:

• Fake QR Code Stickers – An experienced cyberthief can print out real-looking QR codes on stickers that can be easily placed over legitimate codes to trick users into scanning the fake code. Clicking on the code will direct users to a malicious website loaded with malware or request their personal information, such as login credentials. Also, many malicious sites prompt users to disclose financial information to complete erroneous transactions. Stickers can be placed almost anywhere, and users may be tempted to try a QR scan without being sure of its legitimacy.
• Counterfeit Parking Tickets – Hackers have created fake parking tickets to place on cars. The tickets look legitimate and contain a QR code allegedly available to pay the fine. The scam QR and payment site might look authentic when, in reality, user funds, credit card data and banking information go to the cyber criminals.
• Random QR Codes – Cybercrooks count on user impulsivity and the fact that users have been trained to scan and click on QR codes. Random codes on flyers, lying on sidewalks or stuck on the side of buses or parking meters are all instances in which users should err on the side of thinking before clicking. Once a fake code is scanned, it’s too late and the user has fallen victim to QR jacking.

QR Code Security

Thankfully, there are some user tips and best practices that can reduce the chances of being “quished:”

• Be Careful With Personal Info – If you are directed to a site by scanning a QR code, remember to check the site’s authenticity before sharing your personal or financial data.
• Double-Check Site Authenticity – As with other types of phishing attacks, examine the website to which a QR code directs you. The malicious site might look similar to the authentic site on which it’s based. By carefully examining the site’s domain name and physical attributes, careful users can mitigate the chances of being fooled by a bogus website.
• Never Download Apps From A QR Code – It is a smart practice to only download apps from the app store available through your phone, as these apps have already been verified by the store and cyber threats and security have been addressed.
• Be Sure You’re Scanning The Original QR Code – Extra care should be given to examining any physical QR code before scanning it. Look for unusual alterations to the code and ensure there’s not a fake QR code covering the authentic code. Sometimes stickers are hard to spot.
• Avoid Downloading Separate Scanner Apps – Fortunately, most new phones contain QR scanning within the camera app. However, do not be tempted to download a separate scanning app. Many such apps contain malicious software that can threaten your cyber security.
• Double-Check Trusted Sources – If you receive a QR code from what you believe is a trusted source, it is still prudent to call or contact them in some other way to verify that the code is from them.
• Make Payments Via Trusted URLs – Rather than submitting payments or financial information through a QR code, conducting such transactions through a verified URL is safer.
• Avoid QR Codes In Emails – Just as we warn users to beware of clicking on files and attachments embedded in emails, the same caution should be applied to QR codes. Hackers always try to find as many ways as possible to deliver their malicious code to unsuspecting users. Email is a standard delivery system that relies on the impulsivity of users.

QR codes are welcome and convenient enhancements for helping users connect with legitimate companies’ platforms. However, they are also a growing part of the cyberattack landscape and should be used with appropriate caution.