With QR Code usage predicted to escalate regionally by 2028, is the world ready cope with the escalated cyber risks?
QR Codes are so convenient. When paying for food and drink, just look for the QR code printed on the placard displaying any payment system you are registered with.
Tired of typing out long URLs manually when you come across an interesting printed poster or email?
If a QR code is supplied in the document, just scan it with your smartphone and you will be browsing more information online soon.
Cybercriminals also love QR Codes. Let us count the ways they have found to express their affection for such systems:
- Obfuscating URLs: When victims cannot even see the text in a URL in any scam ad or email, how will they exercise caution when launching phishing links?
- Payment hijacking: Few consumers will think twice about scanning a payment provider’s QR Code placed right in front of a retail outlet’s cashier. With QR Codes being just unintelligible sequences of dots and shapes inside a white square, few people will even notice if the printed QR Code is non-tamper-proof (sealed within a plastic holder that cannot be easily switched) or if it has been replaced by a scammer’s QR Code!
- Faking authentication: To some people there is something reassuring about an organization that sends out correspondence bearing QR Codes to make accessing specific services and information less tedious — especially when the organization is a huge corporation or public agency not known for easy-to-navigate websites. Now, with the right spoofing apparatus, cybercriminals just need to mail out some official-looking documents with QR Codes rigged to entice victims to scan the QR Code to log into spoofed authentication pages to harvest login credentials and other sensitive personal data. Even restaurant menus have been known to be rigged (under their management’s noses) to steal customer data.
- In-your-face scams: Scammers have been reported to act like they are in distress when they approach strangers for help. They would find a hundred different excuses as to why they need you to scan a certain QR code to transfer some small amount of money to them. Since this ruse is so in-your-face and so convenient, victims have been known to be less suspicious. A variant of this ruse is to use fake charity and impersonation tactics to make people think they are transferring money for a good cause.
- Transmitting malware: The “beauty” of QR Codes is that victims do not know where the scanned code will take them online. Cybercriminals and scammers can achieve many of the objectives listed here, at one go — the moment a potential victim scans a rigged QR Code that takes the smart device to a webpage containing trojan code, keyloggers and any variation of phishing and spoofing that enables more malware to be launched and activated on the device.
- Confidence tricks: Here, crooks go on used-goods websites and approach sellers, claiming they want to buy a certain product. They offer to transfer a small amount of money to “check it’s the right bank account” and gain the seller’s trust. Soon, they would ask the victim to scan a QR code and follow the instructions to receive the remainder of the money. We all know how this turns out…
- Crypto giveaway scams: In a well-publicized “giveaway scam”, users are convinced by some social engineering or other approach, to think they can transfer crypto to a certain Bitcoin wallet and get twice as much in return. Usually, scammers will craft ads impersonating rich people who have been known to give out free money online. If it is too good to be true, QR Codes will make the ruse easier for scammers to pull!
- Endless opportunities ahead: With rushed digital transformation caused by the COVID-19 pandemic, more organizations have had few alternatives but to rely on QR Codes to support contactless transactions, speed up cross-border e-payments, enhance the online customer experience, and gain consumer trust (since QR Codes used to come from only “official” and authentic agencies). Cybercriminals love that fake QR Codes can be look even more “official” (with generative AI and other “innocent” digital tools) or more novel (for example, featuring brand logos and cute animals in the code’s appearance). These methods cause people to let their guard down, and can be applied to any future technologies, printed or digital content with impunity.
Plan before you scan
Once people know how dangerous QR Codes can be, they should spread the word and boost all-round cyber hygiene awareness. Get the authorities and payment providers to take action to invent new QR Code safety practices and mechanisms (such as multi-factor authentication) to protect people. However, in the meantime, the following best practices apply:
- Vigilance against anything even remotely resembling phishing scams: many QR Codes can be found in such malicious content, even if it is embedded within legitimate websites
- Avoidance of using public Wi-Fi when scanning QR Codes
- Discipline in ensuring your smart device is updated with the latest security patches; not already infected; and contains cybersecurity software to detect the opening of any links already blacklisted by global communities
- If any QR Code leads to ANY web page or prompt that requires your submission of sensitive data or login credentials: ABORT! Triple-check with the relevant representatives of the transaction/payment provider/organization to make sure you are “on the same page”
- Do not scan any QR Code you cannot verify is authentic — especially if it seems to have something pasted over it, or if cashiers do not seem trained enough to double-check your e-payment has been reflected on their own system after you have scanned and paid. For emails and public posters and ads, the safest thing to do is avoid the mobile convenience. Just take note of the official website and browse within it for the information and services you need
- Even QR Code scanner apps can be fake! Ensure you use only the official QR Scanner app supplied on your smart device, or use one you can be sure is authentic and regularly patched
- If all else fails, and you still end up having to scan a QR Code: you still have the choice of NOT opening the link within a browser, and the choice of ABORTING if you smell something fishy once the link opens up. Any prompt asking you to grant app permissions, provide sensitive information or perform any risky operations such as download files or reply YES to any automated script, is a danger signal