QR Codes’ Cybersecurity Risks

Quick response (QR) codes have become popular marketing, sales, payment and customer service tools. However, as the presence of QR codes increases, malicious actors have found ways to exploit them, including by using them in phishing attacks and spreading malware. These vulnerabilities can lead to significant financial and reputational damage, and business owners should proactively address this exposure.

QR Codes and Their Risks

QR codes function like a barcode. They are a series of pixels arranged to form a large square that contains a long string of data. QR codes can be placed on various items (e.g., posters, flyers or menus) or included as images in digital communications sent by email or messaging apps. QR codes can be scanned by readers and often contain URLs so individuals can access websites without having to type in a web address. Once scanned, QR codes allow clients to access a business’s information or leave a review. They can also be used to prompt users to take specific actions, such as making a payment or downloading an app.

Although they can be useful, the nature of QR codes allows cybercriminals to exploit them. Since legitimate QR codes appear as a random scramble of pixels within a larger square, it can be difficult for users to determine if one is safe or malicious. Additionally, since QR codes may be standalone images, they may not be accompanied by telltale signs of malicious activity (e.g., misspellings, suspicious links). Examples of how cybercriminals can exploit QR codes include:

• Putting a counterfeit code over a legitimate one or tampering with a QR code
• Placing QR codes in high-traffic areas or in strategic locations where it might seem connected to a location or object (e.g., by parking meters) or where curious passersby may scan the malicious code
• Sending fraudulent QR codes in an email or through a communications app

Once the fraudulent QR code is scanned, a user may be vulnerable to security issues, including data breaches through QR code phishing—or “quishing”—attacks, uploaded malware on their devices and device hacking.

Mitigating Risks of QR Codes

As cybercriminals increase their exploitation of QR codes, business owners should mitigate their exposures by:

• Providing continuous education to employees on the dangers associated with QR codes
• Advising employees not to scan QR codes if they are unsure of their origin or if the QR code appears tampered with or altered
• Double-checking the URL to which the code directs
• Installing security software with content filtering that inspects links and attachments and prohibits access to suspicious items
• Maintaining strict access controls and utilizing multifactor authentication systems to add a layer of protection
• Training employees on how to safely use their technology in a bring-your-own-device environment
• Keeping all devices updated and patched and turning off automatic QR code scanning settings
• Reviewing default permissions regarding the sharing of sensitive information
• Reducing the use of QR codes in electronic business communications to disincentivize cybercriminals from using them to target customers.

Businesses electing to use QR codes can also take steps to protect their customers. Strategies to consider include:

• Only using reputable QR code generators
• Customizing QR codes with company branding
• Testing the QR code before distribution
• Ensuring the linked website is strongly encrypted and has visible indications of SSL protection

QR codes can be useful tools, but they can be exploited by cybercriminals to compromise business and customer data, causing significant financial and reputational damage. Through risk reduction strategies, organizations can safeguard their business, employees and clients.

Contact us to see how you could minimize risk: