Four Risks and Solutions When Using QR Codes

If you've been out to eat in the last year, there's a high chance you saw a virtual or touchless menu option offered at a restaurant. What you saw was likely a Quick Response, or QR, code, and despite their controversial history, they've become widely popular for touchless processes since the pandemic began. However, you may be concerned about how safe they are to use, and rightfully so. Hackers have misused QR codes for nefarious purposes in the past, but they still have their place. Here are four of the biggest risks associated with them, as well as four solutions for how to use them safely.

QR code abuse has been around for a while, and Heinz is one large company that learned this lesson the hard way. You may recall back in 2015 when the Heinz QR code was directing users to an inappropriate site. As it turned out, Heinz did not renew their registration of the domain name. BBC News reports that once their domain name became available, another party started using it. Heinz created the QR code as a promotion allowing users to design their own ketchup bottle label once they reached the site. However, users landed on a completely different and inappropriate website.

The problem does not end there. A new phishing method using QR codes, also known as “QRishing,” has become a popular attack vector because the human eye cannot differentiate a malicious QR code from a legitimate one.

What are QR Codes?

QR codes are matrix bar codes that commonly allow consumers to access special coupons, visit company websites, receive special offers, or learn more about products/services. When a QR code reader application is installed, a consumer can simply point a smartphone's camera at the code to scan and decode the message contained in the QR code box.

QR Codes are Still Relevant

QR codes aren't going anywhere, in fact, a September 2020 study by MobileIron found that 86% of respondents scanned a QR code over the previous year. The quest for convenience rules our lives and the fact of the matter is that QR codes save consumers the hassle of writing down a web address or other useful information. Consumers can simply scan the QR code with their code reader application and have what they need at their fingertips. 

Companies are placing them in various locations including product packaging, movie posters, magazines, business cards, billboards, and even on the sides of buildings for marketing purposes.

Just a few years ago, Square Roots began using a QR code on their packaging to gain consumers’ trust by sharing the story of their food production. That came at a crucial time when there was a widespread E.coli outbreak, resulting in the recall of romaine lettuce from specific vendors.

QR codes are still popular, but their abuse is a growing cyber threat. Below you will find four important risks to be aware of and the security measures that can be put into action to protect yourself or your company from a cyber incident.

Four Attack Methods 

1. First, criminals can inject your phone with malware. This direct approach requires nothing more than an unsuspecting consumer or employee to scan a QR code out of curiosity leading to an infected website. Just visiting the infected website can trigger a malicious download. One example of how they might deliver this attack method is to send the QR code in an email that appears to be legitimate enticing the user to scan it.
2. Second, the attacker leads you to a phishing site to steal your credentials or to gain access to your private information on your mobile device. Phishing websites can be very hard to detect. They use a similar-looking Universal Resource Locator (URL) to a trusted website. Another approach is to change the domain extension. For example, they change the ".org" to ".com." Other times, there is a slight change in the spelling of the URL so hard to distinguish that it tricks the user. Once the user visits the phishing site, username/login credentials are requested. After the attacker has your log in, the rest is history. They can access your accounts, make changes, see private information and cause irreversible damage to your company name.
3. Third, cybercriminals can print out free encoding tools on the internet to make QR codes. They print the QR code on adhesive paper and place it over a legitimate QR code, or they can email a malicious QR code to an unsuspecting consumer.
4. Fourth, there's always the risk that an attacker finds a bug in a code reader application that could result in the exploitation of cameras and/or sensors in phones or other devices.

The truth is many of us are curious individuals and may be tempted to scan a QR code just to see what it is. People wonder if it will bring them to a website, a coupon, or a code for a free product. Many do not take the time to consider the fact that this action might have huge consequences, such as injecting malware on either their company-owned or personal devices.

Four Security Measures 

1. First, never scan a QR code from an untrusted source, whether it be in an email or a physical place.
2. Second, when possible, feel the QR code to see if a sticker has been applied over the original and legitimate QR code.
3. Third, only use a QR reader application with built-in security features. Understand that some QR reader apps are more secure than others. Important features to look for include showing the content of the link before it is visited and checking the link against a database of known malicious links.
4. Fourth, if you find a malicious QR code, report it to the owner of the business where you discovered it. 

New technology brings new vulnerabilities, creating a need for ongoing awareness and cybersecurity education. Fully training employees enhances your security posture and as an added bonus protects them personally.

Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes. Learn how we can help you secure your workforce and protect your organization from cyberattacks.