QR codes are experiencing a rebirth now. All organisations are concentrating on how they can safeguard their employees, customers, and suppliers during the pandemic. This is being done by implementing contactless transactions and services. This will help to create a safer and a more streamlined purchasing experience for their customers and employees.
As QR codes gain in popularity, scammers are fast taking advantage of the new avenues of revenue they provide. Cyberattackers combine social engineering with QR codes to open victims’ bank accounts and drain their funds. Then, in seconds, they install malware, penetrate entire corporate networks, and do a variety of other offences.
● One of the fastest-growing threat vectors in the world is QR-based discount codes – around 5.3 billion codes are expected to be redeemed this year.
● Instagram became the second social network to use universal QR codes to link back to individual profiles, following Twitter, which did so last month.
QR Codes – The Perfect Way to Lure People to Becoming a Part of a Cyberattack
To many organisations, QR codes have come back from the dead, thus increasing the adoption of digital technology. This has happened as quickly as the pandemic! This is just as astonishing because earlier QR codes were considered obsolete. QR codes are such a sneaky and hazardous threat vector because one easily trusts and misunderstands them.
The QR Codes: Consumer Sentiment Survey, conducted by MobileIron, is one of many surveys on QR code adoption that are currently available. It provides insights into why the use of QR codes and their threats are expanding. The findings of the survey are based on interviews with more than 2,100 customers from both the United States and the United Kingdom.
The key findings are as follows:
● To the delight of scammers, American Express had projected that QR Code payments would become the most widely accepted form of electronic payment by 2020. According to a survey by MobileIron, the use of QR codes currently is to make payments in the US and the UK, at a rate of 27 per cent and 43 per cent, respectively. 38 per cent of respondents scanned a QR code at a restaurant, bar, or café; 37 per cent did at a retailer; and 32 per cent scanned a QR code on a consumer product in the last six months.
● 71 per cent of respondents are unable to tell the difference between a valid QR code and a malicious one, and nearly 17 per cent have had a QR code redirect their mobile devices to a questionable website. Also, 67 per cent can tell if a URL is real or not, but 75 per cent can’t detect a potentially malicious QR code!
● According to MobileIron’s research, one use of QR codes, by hackers, is to hack into your phone and your life. QR codes can trigger activities that appear to originate from you but actually hack into your contact lists and e-mails, as well as your phone’s location and bank account.
It doesn’t matter how the hacker codes get onto our phones; the sites they open may look genuine. You may not even be aware that you’ve clicked on a malicious link until it’s too late.
Even if you visit a restaurant’s menu, the attacker can track and steal your data for days or weeks in the background. ‘They could install malware in our devices, add contacts to our contact lists. They can send emails,’ says Sarra Alqahtani, a Wake Forest University computer science assistant professor.
The FBI offered the following advice in their QR code cyber-attack victimization prevention alert from January 2022:
● Verify that the URL you see after scanning a QR code leads to the correct website and that it appears to be genuine. For example, you might find a spelling error or an incorrect letter(s) in a malicious domain name.
● After scanning a QR code, one should enter login, personal, or financial information with extreme caution.
● Place a sticker on top of the original code when scanning a physical QR code to prevent tampering with the QR code.
● If you receive an email from a company, you recently purchased from, claiming that a payment failed and the firm indicates that you can only complete the payment using a QR code, phone the company to verify. You should use a reliable site to find the company’s phone number rather than the one provided in the email.
● Experts don’t recommend downloading a QR code scanner app. This raises the danger of malware infection on your device. In the camera app of most smartphones, you’ll find a built-in scanner.
● Contact the sender of the QR code using a known phone number or address to double-check that the code came from them.
● Do not send money to a website that you have visited using a QR code. To finalize the transaction, manually input a well-known and trusted URL.
Ways in Which QR Codes are Used to Scam
A scam in which hackers pretended to be customers and sent QR codes to small businesses, to confirm payments, was brought to light by the Belgian police in 2021. Scanning the code would enable the hackers to access the bank accounts of the sellers. Olivier Bogaert from US’ Federal Computer Crime Unit claimed that the code, ‘Does not, in reality, link to a payment confirmation but rather to a login gateway that the fraudster, in combination with the bank account information provided, will have direct access… to your current and savings accounts’.
Criminals haven’t been oblivious to the rise in popularity of QR codes. According to Anna Chung, a principal researcher at Unit 42, ‘Cybercriminals are abusing this behaviour. Cybercriminals in underground web forums have been discussing how to exploit QR codes and target mobile devices during the pandemic’. In addition, they have also discovered open-source tools and video tutorials that teach attackers how to use QR codes. Unit 42 is the threat research department of Palo Alto Networks.
QR code phishing, also known as ‘quishing,’ is also on the rise. Criminals are now using email-borne malicious QR codes to drive victims to a fraudulent website. From here, they ask for login credentials. As Gartner’s Senior Director of Research, Mark Harris, notes, this strategy circumvents many anti-phishing systems that analyse emails for malicious code. ‘Quishing goes around the standard approaches because you can’t see the URL, or it isn’t accessible in the email’.
It is impossible to live without a smartphone or other mobile devices. These are today our digital lifelines. The use of mobile devices and, in many cases, unsecured equipment, by employees to connect with co-workers, use a wide range of cloud-based applications and services, and remain productive while working remotely is on the rise. Mobile QR code scanning is becoming increasingly popular among employees, putting both themselves and the company at risk.
It is, therefore, essential to take the right precautions while using QR codes. As the masses adopt code scanning, the challenges will only rise.