How many times a day do you see a QR code for you to scan with your smartphone to direct you to a website, enable you to download an app, link you to a coupon, or send you to a payment portal? Often enough that you probably don’t think anything of opening your phone’s camera and following the directions that pop up after you scan the code. Unfortunately, our growing comfort with using QR codes is the exact reason why malicious actors are now using them as a new vector for phishing or malware attacks. Understanding the potential risks is key to educating your workforce and deploying effective cybersecurity to protect your organization.
A Quick Response (QR) code is a square-shaped two-dimensional code of light and dark pixels that provides more information than a standard bar code. They were invented in the 1990s by a subsidiary of Toyota, Denso Wave, to track automobiles throughout the production process. QR codes can be scanned by a digital device such as a cell phone camera, and their use has become increasingly popular for directing people to websites offering product information, videos, or touchless payments. They’re used for marketing, real estate, digital business cards, smart packaging, and even in lieu of physical menus in restaurants. This ubiquity makes it an attractive option for hackers to fool users who may be savvy to typical phishing techniques but unfamiliar with the ways a QR code can be used maliciously.
The ways in which cybercriminals could deploy QR codes to steal information, commit theft, or install malicious software mirror familiar tactics. The novel aspect of the attack is the channel by which victims are lured into divulging sensitive information, downloading malware, or sending money. Possible scenarios include:
| Type of Attack | Description |
| Phishing attacks | QR codes are more likely to slip through standard email protection, so they can be sent in email as part of a social engineering attack. Users who scan the code are taken through a process that ultimately requires them to enter their credentials or other sensitive information. |
| Counterfeit codes | Cybercriminals replace legitimate QR codes placed by a company with false codes that direct users to a phishing site or an i-frame pop-up that can install malware on their phone. |
| Malicious QR codes deployed with social engineering tactics | Decoy QR codes accompanied by tempting but minimal text (“Scan to enter to win an iPhone 16 Pro Max”) are placed in high-traffic areas to increase the likelihood that the unwary will scan. |
| Clickjacking attacks | The QR code sends users to a credible-looking site with actionable content like buttons to click through. The result is malware being installed on the user’s device or private information being stolen. |
| Financial theft | QR codes direct the user’s payment to the criminal’s account instead of to a legitimate recipient or payment portal. |
There’s nothing that immediately differentiates a suspect QR code from a legitimate one to the average user in the way that a misspelling or unfamiliar top-level domain can raise a red flag for a malicious URL. That means extra caution is warranted around the use of QR codes in your organization.
A high proportion of all successful cyberattacks are caused by human error, such as falling for a phishing email or clicking on a malicious link. Updated cybersecurity training is a vital first line of defense against QR code attacks that could result in a data breach, ransomware, or malware attack. Teaching your staff to slow down when being asked to use a QR code and evaluate the actions they’re being asked to take with heightened scrutiny is the most powerful first line of defense. In addition, however, ongoing monitoring and 24/7 incident response is vital for quickly detecting and neutralizing threats before serious damage can be done.
The tactics malicious actors employ to attempt to steal sensitive information or extort payment from businesses are continually evolving. At Right Click, Inc., our expert cybersecurity and IT team enables your organization to take a proactive approach to safeguarding your systems and data. With 24/7 support, our highly trained technicians are available to respond to incidents day or night. To find out more about how we can protect your business, contact us here to schedule your consultation.