Executive Summary
The modern day era is constantly changing and we are increasingly integrating technology into our everyday lives to make daily tasks more easier and time efficient. Gone are the days of manually typing website addresses into browsers, thanks to QR Codes a contactless solution to scan codes with a smart phone, tablet or computer to access a specific websites, information and applications.
QR codes (Quick Response code) are not a new technology, originally designed in 1994 to efficiently scan and track component parts for manufacturing by the Japanese company Denso Wave [2]. In recent years QR codes have become increasing popular, in 2022 a total of 6,825,842 generated QR codes was scanned internationally an 433% increase compared to statistics recorded in 2021 [1].
Multiple industries have creatively used QR Codes for contactless restaurant menus, parking meters, transportation for trains and buses, Guest Wi-Fi, checking into venues, trackable post and delivery, advertisements, surveys and contactless payments [3]. Most notably an increase during the Covid pandemic to prevent the spread of the Covid infection from touching physical surfaces, QR codes have provided a contactless solution [4].
The big question is are QR Codes Safe? QR codes are generally safe however the increase in the popularity of QR Code usage has led to a new market for threat actors to exploit, unsuspecting victims are facing scams for spoofed QR Codes that link to phishing websites. The malicious websites can put victims at considerable risk of entering sensitive data, downloading drive by software that can be downloaded onto the device to harvest data, creating a back door for attackers to access and financial loss when providing bank details. Therefore the QR code is only as safe as the website linked [2].
The Modus Operandi
A QR Code is a unique generated combination of black and white squares presented on a two dimensional grid that is generated cost free by an individual or company for an intended purpose such as a website link or embedded information [1]. The codes can be scanned by QR code readers which are already implemented into Android and IOS cameras for smart phones, tablets and available from the Windows store for computers with webcams. There are also many third party apps available from the google play store and Apple store [2].
There are also different types of QR Codes with the most popular being the dynamic QR code; this is a trackable code that can contain a lot of data and be changed multiple times with no need to generate a new code. This is ideal for menus, advertisements and transportations time/dates. A Static QR Code can also contain a lot of information however this cannot be changed once generated, a new code will have to be generated for new information to be inputted. This is ideal for linking to websites, contactless payments, guest Wi-Fi and trackable postage [1].
Now that we understand how QR codes work and their intended purpose, what kind of threats can QR code victims encounter? A popular tactic used byscammers is placing fake QR codes on parking meters to be used as a quick payment method, the QR code will redirect to a phishing website where the unexpecting victims can then enter sensitive information such as their name and card payment details. Not only has the money gone directly to the threat actors but the victim will also face a car parking fine [5].
In 2021 the BBB (Better Business Bureau) reported an increase in emails, direct messages on social media, text messages, flyers and letters containing QR Codes. A student was sent a letter regarding student finance, the letter contained a QR Code that directed to a legitimate .gov website however, once the student rang the phone number within the letter the scammers received payment. The legitimate QR Code made the letter appear genuine [6].
Another technology that has also increased in popularity is Cryptocurrency, threat actors can use crypto to make transactions that are pseudonymous. This means threat actors do not have to link any personal information or create an account only an identifier to link to a wallet is required, which makes it more difficult to track transactions [7]. The recent MR Beast Token Cryptocurrency Scam where victims were encouraged to access a phishing website to claim 10,000 BST a form of Cryptocurrency, were encouraged to connect their crypto wallet via scanning a QR Code. A processing fee required a small amount of the victims cryptocurrency and personal information such as email addresses and phone numbers [8].
Why does this Matter?
The main motivator for threat actors regarding QR code scams is to harvest sensitive data for identify theft, personal and financial gain, this can cause victims a lot of financial loss leading to unmanageable debt, time wasting and stress issues. In 2022 the UK Finance reported over £1.2 billion stolen through fraud, that’s £2,300 every minute, 78% of APP Fraud cases (Authorised Push Payment Fraud) started online, 2% from emails and 18% which represented financial fraud over the telephone [9].
How to Protect Yourself
The QR codes can be only as safe as the website the codes redirects to so here are steps that will help in mitigating the risk.
Think before you scan and question if the code is genuine: How did you find or receive the QR Code? Is the sender or website legitimate?
Always verify the source: If you are unsure the QR is safe is it is best practise not to scan.
Don’t install third party QR Code Reader apps unless you are sure they are genuine: If you have a device with a QR Code built into the camera there is no need to install additional apps and the integrated software will be safer.
Always check the URL before being directed to the website: Most built in apps will display the website and alert if the website is suspected to be suspicious [1].
Never input sensitive data into a website unless sure the website is genuine: Install Anti-Virus protection that offers a QR Code Scanner feature to check phishing scams, forced app downloads and phishing links.
Don’t scan QR Codes from strangers or websites that promise investments and gifts: Don’t trust websites with short URL’s that could be hiding an malicious URL [10].
Use Two Factor Authentication: Add an additional layer of security over your password to prevent attackers gaining access.
Install a VPN (Virtual Private Network) when surfing the internet: Keep your activity anonymous from threat actors and implement a password manager to protect your password. The manager can also identify fake websites and will not autofill your details [11].
Conclusion
We now understand what QR Codes are, how they work, the types of attacks and how to mitigate the risks of rogue QR Codes. The main purpose highlighted in this blog is not to scare anyone away from using QR Codes because the technology is a very powerful tool designed to make life easier. Following the mitigation steps above can dramatically improve the chances of not falling prey to an attack and staying informed about developing technology can prevent any further attacks. Remember think before you scan.
References
[1] https://www.einfochips.com/blog/exploring-qr-codes-how-they-work-and-risks-of-phishing-attacks/
[2] https://www.avast.com/c-what-is-qr-code-how-to-scan#:~:text=A%20QR%20code%20(short%20for
[3] https://mention.com/en/blog/creative-ways-to-use-qr-codes/
[4] https://www.dxglobal.com/ideas/the-rise-of-qr-codes-during-covid-19/
[5] https://www.iow.gov.uk/news/Be-vigilant-of-potential-parking-scams
[6] https://www.bbb.org/article/scams/24636-bbb-scam-alert-watch-out-for-fraudulent-qr-codes
[8] https://www.myantispyware.com/author/patrik and http://www.facebook.com/myantispyware and https://www.myantispyware.com/2023/04/04/mr-beast-token-drop-a-new-cryptocurrency-scam-emerges/
[10] https://fourthcapital.com/educational-article/avoid-qr-code-scams/
