Thales Blog

QR Code Scams: What You Need to Know About This Phishing Tactic

March 19, 2024

Tim Phipps Tim Phipps | Director of Cloud Alliances More About This Author >

In a world where individuals and organizations alike are increasingly dependent on digital processes, cybercriminals are constantly looking for and developing new ways to exploit technology to take advantage of their targets. In recent years, there has been a massive shift toward more touchless solutions in everyday life, and one of those solutions is the quick-response (QR) code. They have been used for a wide range of functions, from digital payments to contactless restaurant menus.

Bad actors have chosen to leverage the prevalence of QR codes to carry out cyberattacks. It is vital to understand these scams to protect against them.

How QR Code Scams Work

Since QR codes were invented in 1994 for the purpose of tracking items in warehouses and factories, they have been adopted for a variety of other business and personal reasons. Most modern smartphones have a QR scanner built into the native camera app, and the average person likely doesn’t think twice before scanning a QR code due to their prevalence in all manner of situations. This readiness to scan makes the QR code a feasible attack vector.

A QR code has the capability of behaving like a link or a barcode, and devices can scan one from a piece of paper, a screen, a sticker, or even a billboard. Cybercriminals take advantage of the versatility and convenience of QR codes to deceive their targets. At their core, these scams exploit the QR code's ability to obscure the destination URL. When you scan a QR code, you don't see the underlying web address, making it an ideal tool for deception.

Some of the methods that have been used in QR scams are:

  • Fraudulent QR codes are attached to phishing emails.
  • QR codes for contactless payment that direct targets to the scammer’s payment portal rather than a legitimate one, such as this case reported by the BBC.
  • Tampering with or replacing legitimate QR codes to plant malware on the target device.

While these scams can be extremely convincing, there are often signs that users can detect that indicate a QR code may not be what it seems.

  • Poor quality QR code design
  • Unfamiliar domain names
  • Suspicious or out-of-place content
  • Requests for personal information

Addressing the Risks of QR Code Scams

QR code scams can harm victims in many of the same ways as similar attacks, such as phishing with malicious links. Once the target has scanned the QR code, it can lead to a malicious site, a credential farming page, or even a malware download. Scammers can use these methods for profit directly by deceiving their targets into paying money through a fraudulent site, believing they are making a legitimate payment. In contrast, their money is actually being redirected to the attackers. The aftermath of being scammed can lead to a general distrust of digital innovations, impeding the widespread adoption of beneficial technologies.

Attackers can also cause profound damage by stealing data and using it for a variety of nefarious purposes. QR code scams can be used to harvest login credentials, financial data like credit card and bank account numbers, personally identifiable information, including confidential medical information, and other sensitive data. This information can be used to carry out identity theft, install ransomware, or steal large amounts of money.

Be Vigilant and Adopt Best Practices

Cybercriminals have turned to QR codes as a tactic for several types of attacks, from malware to identity theft. QR code scams are growing in popularity, and organizations and individuals should be on the lookout for any suspicious QR codes. By adopting best practices and remaining vigilant, we can safely enjoy the benefits of QR codes and avoid potential dangers.

To avoid falling victim to a QR code scam, users should be educated and trained in cybersecurity best practices, including specific training in how to recognize the telltale signs of phishing. This is one area where cybersecurity awareness training can go a long way toward protecting an organization. Users who understand the policies in place, the reasons for those policies, and their own role in the security of the company are far better equipped to identify and avoid attacks that could endanger the entire organization.

Easy Control of Your Data

Organizations are also encouraged to establish and maintain a robust security posture in other ways, such as mandating multi-factor authentication to make it more difficult for bad actors to use credential theft to infiltrate the organization. Security gaps can be lessened by keeping software up-to-date and configured correctly. Encrypting data in storage, at rest, and in use can protect it against theft or misuse by bad actors.

The rise of QR codes and the security vulnerabilities associated with them are examples of the kind of risks to take into consideration when balancing security with convenience. Using a QR code for any of the myriad functions it can serve can often save time, cut down on paper waste, or decrease the chances of germ transmission, but this convenience might come at the expense of security. Not enough thought has been put into ensuring that QR codes are trustworthy, leaving the user responsible for determining whether a code is safe and reliable, which not all users are equipped to do.

According to Gartner, 99% of data breaches result from human error. Leaving the fallible human user as the only line of defense is ill-advised, no matter how security-minded they are. Cloud transformation has encouraged innovation in increasing user convenience by enabling users to store their data in somebody else’s data center. However, the security of data in the cloud is still ultimately the customer's responsibility.

Thales sovereignty solutions allow customers to innovate in the cloud without sacrificing security for convenience, through a centralized, automated platform that takes complex processes out of the user’s hands. This reduces the risk of breaches of sensitive data without requiring organizations to employ their own army of highly skilled security specialists. Learn more about our data security platform and identity access management solutions, allowing organizations to protect their data in use and at rest, mitigating some of the risks associated with QR code scams and similar attacks.