Leveraging the convenience and commonality of QR codes at point-of-sale counters, cybercriminals are now extending their scams to brand impersonation tactics.
While most phishing attacks come by email, deceptive ads, links or attachments, others are sent by text message or even a telephone call.
Now, another new kind of phishing attack is on the rise: Quick Response (QR) codes — the commonly seen barcodes that comprise a square-shaped grid containing a two-dimensional matrix of squares.
Like with other kinds of phishing, this kind of attack leverages trust — trust in the QR code itself, as well as in the brand attached to it. Further, many phishing attacks rely on creating a sense of urgency around a supposed benefit or consequence of not taking action.
Two methods of QR phishing
First, fraudsters may attach a QR code to the door of a bank. When scanned, the QR code asks the user to sign into their bank account to enter a contest to win a monetary prize that would be automatically deposited into their bank account.
The website looks like it really is from the bank in question. However, all the banking details entered by a user on the website could be used for various breaches.
The second method is via emails impersonating well-known brands or retailers on the pretext of promoting a new “loyalty program”. When recipients scan the code, they are prompted to enter their personal details, including name, address, username and password. Those details now can be used to access the retailer website and any information stored there, including credit card details. If any compromised password is also being used for other websites, the fraudsters may be in for a bonus haul.
Further, the personal information may be sold on the black market to be leveraged by others in future phishing attacks.
Staying QR-inoculated
Knowing how QR codes are a minefield of cyber risks, do remain vigilant at all times when any scanning of a QR code is involved.
-
Double-check the integrity of the QR code
It is very easy to place a fraudulent QR code sticker over a legitimate code. QR codes that are sticker-based, unbranded or placed in unusual locations should be treated with caution. QR codes from an unfamiliar source should not be trusted. QR codes delivered by email should always be treated with extreme caution, with the exception of mobile tickets that are read by third-parties (concert tickets, for example).When in doubt, ignore the easy way of responding to the QR code prompt and instead verify the QR code is legitimate by contacting the brand directly from their standard website, by calling customer service, or asking an employee in-person.
-
Be mindful of sharing personal information
Effectively safeguarding personal and financial information and placing trust in a website can be challenging. Therefore, be wary of QR codes leading to websites that ask for personal information, login information or sensitive financial details. Never disclose banking information or wire transfer funds as the result of a QR code interaction. -
Be mindful of payment methods
While convenient, not all payment methods are protected equally. Avoid QR code-linked transactions using methods of payment that are not well secured and covered by credit card fraud liability policies. Opt for a payment method in your country with strong consumer protection. -
Enable strong, phishing-resistant MFA across your accounts
Wherever possible, enable accounts to use multi-factor authentication (MFA) to make it harder for phishing attacks to succeed. While any form of MFA is better than just using a username and password, not all MFA is created equal.Therefore, use passkeys, additional biometric authentication and even hardware-based keys as appropriate.
For those sites that do not yet support phishing-resistant methods, use a reputable password manager to generate strong, unique credentials per site and make logins easier between devices.
