Most of us are starting to notice the large number of QR codes starting to pop up everywhere. Covid has created a new craze that has businesses turning to using your own devices in leu of shared menus, screens, devices, and even surveys. While QR codes are easy to deploy they are starting a new scam across the globe. For those who do not know what a QR code is, it is an easy way to translate data to your phone. They are square barcode like pictures that can have text, URLs, downloads, and so many things hidden within. While most QR codes are useful in nature an attacker can turn this feature into a method of deployment. QR codes aren’t just cost-effective and simple to use. They’re also essential, especially during a pandemic where contactless transactions have become the norm. What’s more, at least 81 percent of Americans now own a smartphone, and nearly all of those devices can natively read QR codes with no third-party app required. So, QR codes are clearly having their moment.
What the Numbers Say (Hint: It’s Not Good)
My company, MobileIron, wanted to better understand current QR code trends, so in September we conducted a survey of more than 2,100 consumers across the U.S. and the U.K. It confirmed that QR codes are indeed more widely used today. For instance, in the last six months, more than one-third of mobile users scanned a QR code at a restaurant, bar, retailer or on a consumer product.
The results also highlighted some alarming trends: Mobile users don’t really understand the potential risks of QR codes, and nearly three-fourths (71 percent) of respondents can’t tell the difference between a legitimate and malicious QR code. At the same time, more than half (51 percent) of surveyed users don’t have (or don’t know if they have) mobile security on their devices.
Like so many things that feel like they’ve been part of our lives forever, we don’t give QR codes much thought. Mobile devices have conditioned us to take quick actions — swipe, tap, click, pay — all while we’re distracted by other things like working, shopping, eating (and unfortunately, yes, driving).
This is exactly the kind of implicit trust and thoughtless action hackers thrive on. And it’s why, if mobile employees are using their personal devices to access business apps and scan potentially risky QR codes, enterprise IT should start taking a much closer look at their mobile security approach.
So What, Exactly, Are the Risks of QR Codes?
Hacking an actual QR code would require some serious skills to change around the pixelated dots in the code’s matrix. Hackers have figured out a far easier method instead. This involves embedding malicious software in QR codes (which can be generated by free tools widely available on the internet). To an average user, these codes all look the same, but a malicious QR code can direct a user to a fake website. It can also capture personal data or install malicious software on a smartphone that initiates actions like this:
- Add a contact listing: Hackers can add a new contact listing on the user’s phone and use it to launch a spear phishing or other personalized attack.
- Initiate a phone call: By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
- Text someone: In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
- Write an email: Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user’s work email if the device lacks mobile threat protection.
- Make a payment: If the QR code is malicious, it could allow hackers to automatically send a payment and capture the user’s personal financial data.
- Reveal the user’s location: Malicious software can silently track the user’s geolocation and send this data to an app or website.
- Follow social-media accounts: The user’s social media accounts can be directed to follow a malicious account, which can then expose the user’s personal information and contacts.
- Add a preferred Wi-Fi network: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.
Easy Things We Can All Do to Minimize the Risks
As scary as these exploits are, they aren’t inevitable. Educating users about the risks of QR codes is a good first step, but companies also need to step up their mobile security game to protect against threats like spear phishing and device takeovers.
What Users Can Do
Take a good look first: Make sure the QR code is legit, especially printed codes, which can be pasted over with a different (and potentially malicious) code.
Only scan codes from trusted entities: Mobile users should stick to scanning codes that only come from trusted senders. Pay attention to red flags like a web address that differs from the company URL — there’s a good chance it links to a malicious site.
Watch out for bit.ly links: Check the URL of a bit.ly link that appears after scanning a QR code. These links are often used to disguise malicious URLs, but they can be safely previewed by adding a plus symbol (“+”) at the end of the URL.
What Companies Can Do
Hopefully your company is using an on-device mobile threat defense solution that can protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious app downloads. (If not, start looking for one now!) You need to ensure it’s deployed on every device that accesses business apps and data, because enterprise security is only as good as the weakest link in your company. Also, educate users about what it protects against (and also what it doesn’t).
If you do nothing else, now’s the time to consider eliminating password-based access to business and cloud apps, which is one of the top causes of data-breaches today. By shifting to passwordless multi-factor authentication, you not only eliminate the threat of stolen passwords, you also eliminate the hassle of maintaining them — which makes everyone (except hackers) a lot happier and more productive.