A QR code is a set of instructions to be executed on a device. They can be used to send someone to a URL, share contact information from a business card, download an application from the app store, connect to a Wi-Fi network, or to automatically start a call, among other functionalities.
Unfortunately, the functionalities of QR codes can be abused by attackers who seek to find weaknesses in how we use technology. QR codes are highly convenient, but this convenience sometimes comes at a price.
The very convenience of using QR codes also presents a cybersecurity challenge.
They can be exploited for malicious intent in various situations. For example, while dining at a restaurant, you might encounter a QR code for the menu. Without hesitation, you might scan it, only to be directed to a website that you did not expect.
In reality, this could be a deceptive phishing site aiming to steal your information or introduce malware to your device.
Similarly, you might find a sign in public instructing you to scan a QR code to access free wi-fi. The danger here is that you don’t know whether the network is trustworthy. By scanning the QR code, you are connecting your phone to a potentially malicious network.
Even a phone call can turn out to be costly
QR codes can even be used to automatically start a phone call to a so-called high-cost number which charges you money. The scammer may then attempt to use this phone call to scam you out of more money or collect sensitive information by pretending to be a trusted entity.
The existence of dynamic QR codes muddies the water even more. In this case, the initial QR code’s only purpose is to take you to an external site, which can be dynamically updated by whoever hosts that specific app.
Attackers may initially create a harmless webpage so that it is classified as a safe page by browsers, but later upload malicious content or links. Or even only deliver malicious content based on the device that is connecting, in the hope that the page is still classified as secure.
So how do we stay safe when there is no way to distinguish a safe QR code from a malicious one with the naked eye? I personally avoid scanning QR codes unless I know exactly why I’m scanning them, and I trust the source of the QR code.
Not the public ones
Never scan a QR code placed in public without any other information or context around it. This is one way that bad actors exploit your natural curiosity.
Avoid QR codes when you can by asking for a physical menu at restaurants or asking the staff for the QR code, or if this isn’t an option, make sure that the QR code is stored within plastic wrapping or signage and does not look like it has been tampered with.
Before you click through on the URL from a QR code, make sure to preview the URL and ensure it is trustworthy or relevant to what you expect it to be. Both Apple and Android devices today deliver native QR code scanning capabilities in the photo app, with the functionality to preview the link.
Go easy on email delivered QRs too
You should generally avoid scanning QR codes sent in an email, or at least be extra careful. There have been several phishing campaigns that utilize QR codes in emails.
This practice has become so prevalent that it has been categorized as a distinct type of attack, known as ‘Qishing’.
This is because email security typically analyzes URLs inside an email body to determine if they are malicious, but in QR codes, the URL is replaced with an image that needs to be analyzed by the security solution before it can determine whether the content is harmful.
Being able to determine whether something is good or bad is highly challenging in the digital world of today and QR codes serve a practical purpose and are here to stay. Users should be aware of the information and specific risks associated with QR codes where convoluted information is presented in a simpler and more convenient form.
Otherwise, they might get much more than they bargained for when they scanned the code