For every technological breakthrough, there seems to be a malicious actor plotting devious ways to exploit it for monetary gains. The QR code spares no expense.
If you shop regularly on Amazon, then you’re familiar with the QR code, as they are now popping up on your Amazon return notifications. Or if you use Coinbase, the large cryptocurrency exchange that had more than 20 million landing page views in one minute, from a thirty second Super Bowl commercial. Given how prevalent QR codes are becoming, it may be easy to assume they’re safe. However, the truth is that they’re a favorite of malicious actors who use it for their nefarious purposes (usually making money and wreaking vengeful havoc).
Before going any further, let’s define what a QR code actually is.
What is a QR Code?
A QR code is a square barcode used to provide quick access to websites, digital menu for restaurant ordering, payment for products and services, and to track shipping labels. The frequency of QR code usage has risen dramatically because it offers convenient and contactless access. This was a huge benefit during the COVID-19 pandemic.
What is it used for?
There are numerous platforms and industries that use QR codes to carry out specific objectives. QRCode-tiger.com lists several ways QR codes are being used online today.
- Convenient access to a website URL
This enables a user to scan the QR code with their smartphone camera to directly access a website.
- Send YouTube and Google drive videos with ease
Send embedded video links from either platform to your friends and family, through a simple QR code. This takes away the step of manually typing a video’s title.
- Enable free Wi-Fi access
Replace the hassle of memorizing your Wi-Fi password without any configuration or authorization required. Instead, with a quick tap of a QR code, you’ll be immediately connected to the internet.
- Easily download mobile applications
Reduce your app download time when scanning QR codes. This allows for more accurate real- time monitoring of what you scanned including the date and the location of said scan.
How do bad actors use QR codes to steal your money?
Threat actors use multiple methods to turn QR codes into vehicles for their illegal actions. For hackers, it’s as simple as sending you a QR code to a fake web page that then siphons money out of your digital wallet.
According to Hank Schless, the Senior Manager of Security Solutions at Lookout, here are other techniques used by bad actors to get your sensitive data:
- Edit a commercial and embed a malicious QR code to promote on social media channels.
- Build a fake log-in page and use a QR code to advertise a malicious URL address. This will be used to manipulate individuals into sharing their login credentials.
In all of these circumstances, the primary purpose of the malicious actors remains the same: to completely drain your bank account.
How can I protect myself from it?
Here’s where we turn to the FBI for guidance. In a recent announcement, the FBI lists tips to protect yourself when it comes to QR codes:
- Practice caution and check the URL. Be vigilant when entering login, personal, or financial information from a site navigated to or from a QR code. Once you scan a QR code, verify the URL to make sure it is the intended site and looks authentic. A malicious domain name may look similar to the intended URL but with typos or a misplaced letter.
- Check for physical tampering of labels. If you’re scanning a physical QR code, ensure the QR code label has not been tampered with. For example, if there’s a QR code label that was placed on top of the original code.
- Avoid downloading a QR code scanner app or apps from QR codes. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app. Additionally, use your phone’s app store for a safer, more secure download.
- Verify any email regarding a payment failure. For example, if you receive an email stating that your payment failed from a company you recently made a purchase with, a “fake” email will probably say that you can only retry your payment through a QR code. This is a major red flag so be sure to call the company to verify. To ensure that you call the real company, be sure to get their phone number from a trusted website. Do not use the phone number provided in the email.
- Likewise, avoid making payments through a site navigated to or from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
- Reach out directly. If you receive a QR code that you believe is from someone you know, reach out to them through a known number or address to verify that the code is indeed from them.
How can Mentis help me?
Managing your network from unforeseen vulnerabilities is a never-ending journey that we understand well. In order to successfully navigate security risks, you’ll need a trusted expert who is on top of the latest cybersecurity threats. Click here to learn how we can protect your business from the evolving cyber threat landscape.