Posted on by

Don’t trust the scan: Protecting yourself from QR code attacks

Cybercriminals always seem to find new ways to steal data or make financial gains, but now they’re using images to try executing a new form of phishing — quishing. Just when you thought not clicking on links and checking response email addresses was a good start in becoming cyber-safe, now you need to be wary of QR codes, too.

QR codes (or Quick Response codes) are square barcode-like images that serve many legitimate purposes — allowing quick access to internet-based resources such as websites, products, event information and payment facilities. While QR codes have existed for over two decades, the use of QR codes has increased as more consumers began owning and using smart devices. This was especially evident during the pandemic when QR codes were used as a form of contact tracing.

Despite its funny-sounding name, the intent is still malicious. QR code phishing attacks (“quishing”) use physical or digital QR codes to lure users to fake websites designed to steal sensitive information or to infiltrate a device and infect it with malware.

This is just one of the many types of phishing attacks, a type of scam where attackers attempt to get users to reveal personal information — such as login details or credit card numbers. In fact, a phishing attack takes place every 39 seconds, and an estimated 3,809,488 records are stolen daily due to phishing related breaches.

Like other forms of phishing, quishing relies on trust — trust in the QR code and the organisation attached to it. A characteristic of a phishing scam is that it also relies on creating a sense of urgency (e.g. this limited discount offer ends today!) or there’s a ‘consequence’ of not taking action (e.g. your account will be locked in 24 hours).

Different forms of quishing

QR codes are available in physical and digital formats, so being exposed to quishing attacks can happen wherever there is a QR code. This is why it’s critical to be cautious and mindful when scanning QR codes to ensure the source is trusted.

There have been some interesting cases being reported in Singapore. In one, a woman visited a bubble tea shop and saw a QR code sticker on the business’ glass door, encouraging customers to complete an online survey to receive a free cup of milk tea.

When the person scanned the QR code, it downloaded a third-party app onto her Android phone to complete the “survey.” The scammers used their ‘app’ to take over the user’s device and stole US$20,000 from their bank account later that evening as they were sleeping.

A similar scenario can take place with a digital QR code whereby the user receives an email from a retailer that contains a QR code to sign up for a new loyalty program or receive a promotional offer. When the user scans the code on their computer screen with their smart device, they are prompted to enter their personal details, including name, address, username and password.

Identifying quishing scams

It is easy to be tricked by quishing attacks, which is why we’re seeing this method of attack continue to grow. With text-based phishing attacks, it is ‘easier’ to verify a link is legitimate before you click it, but it is naturally more difficult to do so with physical QR codes.

The Australian Signals Directorate highlights three key challenges in trying to identify a quishing scam:

  • The limited ability of some email security tools to detect and block malicious links embedded in images.
  • Hiding the link in an image limits your ability to check its legitimacy prior to scanning the QR code.
  • For business environments, users receiving quishing emails sent to their work email address may scan a malicious QR code using personal devices, which may not be subject to the organisation’s cyber security controls and monitoring environments, making it difficult to prevent, detect and track potential compromises.

Nefarious QR codes stemming from quishing attacks are hard to spot, so in this case, Yubico recommends being cautious and protecting yourself by doing the following:

Verify the source is legitimate

QR codes are everywhere, so if you see one in an unexpected place, inspect the URL before opening it, especially if the source is unknown. If the QR code displays a link, make sure you recognise the URL, and even if you do, look for misspellings or a switched letter, just in case.

If you think that the message looks legitimate, you can also verify the validity of the sender by using a phone number or website that is confirmed to be authentic to verify the information. Placing a new fraudulent QR code sticker over a legitimate one is very easy. Be cautious if you come across physical QR codes that are sticker-based, unbranded, or placed in unusual locations.

Likewise, QR codes delivered by email should always be treated with extreme caution. If you are ever in doubt but still wish to find out more, contact the organisation directly to verify the request/offer associated with the QR code. However, until you verify the source, the simplest thing you can do is not scan QR codes.

Think before sharing personal information or making payments

As phishing attacks become harder to identify and use new tactics, such as QR codes, it’s crucial to stay vigilant. Be cautious of websites requesting personal, login, or financial data. Also, avoid suspicious methods of payment, such as PayPal, Venmo or e-Transfer and avoid debit cards, which are not protected. Opt for a credit card with consumer protection for any purchases. Due to a QR code interaction, never disclose banking information or wire transfer funds.

Enable strong, phishing-resistant MFA across your accounts

Implementing multi-factor authentication (MFA) offers stronger security than relying on legacy systems like usernames and passwords. However, not all MFA methods provide the same level of protection. Enabling MFA wherever possible will help bolster defences against phishing attempts.

Look for MFA solutions resistant to phishing, such as device-bound passkeys, including hardware security keys. Security keys stop phishing attacks by requiring something you know (a password) and something you have (a security key) to insert into the device and physically touch it to gain access to accounts.

Final thoughts

Communicating or engaging with technology has become fraught with potentially dangerous situations threatening our digital identities, but it doesn’t have to feel that way. Remember that if you receive an unexpected email or text with a QR code, don’t scan it, especially if it urges you to act immediately. With the right knowledge or awareness of scams and armed with phishing-resistant MFA tools, navigating the web-based world can become a bit less stressful.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic.

Join our e27 Telegram groupFB community, or like the e27 Facebook page.

Image credit: Canva

The post Don’t trust the scan: Protecting yourself from QR code attacks appeared first on e27.