What Marketers Need to Know About QR Code Security

We’ve previously discussed all the creative uses for QR codes and how adoption of QR codes skyrocketed once both Android and iOS devices added QR code scanning capabilities to the native photo apps. Now let’s talk about what brands and marketers are worried about lately … QR code security.

Could scammers use QR codes to try and trick unsuspecting people into scanning a malicious QR code? Sure. The same can be said of shortened URLs like Bit.ly, vanity URLs or look-alike domains. Scammers try to use those to lure unsuspecting people into typing those links into a browser or clicking through to those links. What do they all have in common? They’re all driving eyes somewhere to collect information or interact with devices used. They also look sketchy when you look closely, and you too could get tricked if you’re not paying attention.

QR codes themselves can’t be hacked – the security risks associated with QR codes derive from the destination where QR codes go rather than the codes themselves.

Here are some of the biggest QR code security risk terms and what they mean:

QRLjacking

QRJacking, short for Quick Response Code Login Jacking, is a type of attack where scammers trick someone into scanning a QR code with a mobile device’s authenticator app when setting up access to the system that requires logging in. Most legitimate login systems that have your sensitive information would have a secure, two-factor or multifactor authentication method available for you to set up. After set up, logging in requires more than just a username/password combination. Many use an authenticator app, like Google Authenticator, and the setup process inside the authenticator app does have you scan a QR code. You wouldn’t scan a QR code using the native camera app on your phone for this use case.

Quishing

Quishing, short for QR code phishing, is the process of using a QR code for a phishing attack. Scammers craft emails that look like a legitimate sender and have an embedded, malicious QR code. An example of this would be an email that looks like it’s from Microsoft to tell you that your multifactor authentication method is expiring and asks that you scan the QR code in the email to update your information. According to internal data sources, credential phishing accounts for about 80% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types. First, having a QR code image in an email does not make sense. It’s a digital communication where you couldn’t even scan if you were accessing email on your mobile device, but if you’re not paying attention and are looking at your work email on your computer, you may fall for it. 

Baiting

Baiting is a type of social engineering attack where scammers use bait to deceive their targets. In a QR code baiting attack, scammers can leave random malicious QR codes in public spaces to entice people into scanning them.

Cloning

Scammers can create an identical looking, to the naked eye at least, clone of a legitimate QR code of a trusted brand. The cloned code can then send scanners to phishing websites that capture sensitive information. These cloned codes could be printed on physical materials or embedded on malicious websites.

Scanner apps

While QR and barcode scanner apps are usually safe, some can be risky. For example, a barcode scanner app on Google Play infected 10 million users with one update in late 2020. Users should use the native Android or iOS camera app to scan QR codes. Scanning apps are not necessary.

Malware

Attackers may link a QR code to a malicious website that infects computers and devices with malware. Trojan password-stealers or keyloggers can help attackers commit identity theft or other crimes.

What do QR code scanners need to pay the closest attention to?

Source Verification

Check the source of the QR code. Ensure that it comes from a reputable and trusted entity. Avoid scanning QR codes from unknown or suspicious sources. Don’t scan a code from a random sign at a bus stop. If you receive a direct mail piece from a trusted brand, it is generally safe to scan. Scammers are not going to pay to buy a list, design something that looks legitimate, print and pay postage to mail you something with a QR code that takes you to a malicious destination.

URL Inspection

If the QR code directs you to a website, carefully inspect the URL before going deeper into a website or volunteering any information. Fraudulent QR codes may lead to phishing websites with URLs that mimic legitimate sites. Look for misspellings, extra characters or unusual domain names.

Design and Layout

Authentic QR codes from reputable sources usually adhere to standard design and layout practices. Be cautious if the QR code design appears altered, has unusual colors or seems poorly printed. Legitimate businesses and organizations typically maintain a consistent branding style.

The biggest takeaways from this:

1. Brands should always use a trusted QR code generator platform where all users must have their own unique login credentials (no sharing across an organization or departments).
2. Scanners should stick with their mobile device’s native camera app to scan QR codes and only do so on trusted brand communications.
3. Scanners should keep any personalized QR codes in a safe place – ideally password-protected or behind secure authentication methods, like multifactor or face ID.