QR Codes in the Time of Cybercrime
QR codes have been around for many years. While they were adopted for specific niche uses, they never reached their full potential.
However, in recent years, with lockdown and the drive to keep things at arm’s length, QR codes have become an efficient way to facilitate contactless communications or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things.
QR Code Fraud
As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code and hand over their payment details, believing they were paying for parking. In reality, they were handing over their payment information to criminals.
The rise in QR code fraud resulted in the FBI releasing an advisory warning against fake QR codes used to scam individuals. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply.
Moving Beyond Fake Websites
There are many paid and free services that will allow you to create your own QR code, which can open up many opportunities for more elaborate attacks or techniques. It is essential to know how QR codes can be used to understand potential vulnerabilities. A QR code can:
- Create a pre-canned SMS message ready for you to send.
- Compose a pre-canned tweet ready for you to send.
- Share the public address of a crypto wallet.
- Provide access to quickly and easily connect to Wi-Fi.
There are other types of QR codes, but you get the idea – and all of these are relatively trivial to repurpose for malicious activities.
Staying Safe
Fortunately, for these scams to be successful, criminals have to physically tamper with or place their own QR code, which comes at a risk to them. Also, none of these will automatically trigger an action on a phone. Rather, it will display a notification about the intended action.
So just like email phishing, timely and appropriate security awareness training can be put into practice. Teaching users to be mindful and vigilant whenever payments, credentials or personal details are involved online is critical.
Information in this article was provided by our partners at KnowBe4.