QR code phishing: Why it’s on the rise and how to protect your business

In the ever-expanding landscape of cyber security threats, one scheme has been silently making its way into our digital lives—QR code phishing. QR codes (also known as Quick Response codes) were invented by Japanese automotive company, Denso Waves, in 1994 after they were tired of dealing with the complications of simple barcodes

Photo by Markus Winkler on Unsplash

QR codes may claim to lead you to a trusted website and actually be a spoofed domain, tricking clickers into giving their information. Or, QR codes may prey on the curious by placing anonymous QR codes in the real world, claiming to give out prizes or lead them to cool websites but in turn lead them to malicious domains. The format of a code, rather than a link, leads people to believe they are harmless and cyber criminals know to take advantage of this belief. 

Where is it most common?

QR code phishing is a versatile threat that can manifest in various scenarios. It’s commonly found in:

• Emails and Messages: Cybercriminals often use social engineering tactics to send QR codes via emails or messages, masquerading as legitimate sources.
• Fake Promotions: Malicious QR codes may be distributed through fake promotions, enticing users to scan for discounts or exclusive deals.
• Physical Spaces: Fraudulent QR codes strategically placed in public spaces, on posters, or even on product packaging can catch individuals off guard.

Why is it on the rise?

A study by Hoxhunt Security found that 22% of phishing attacks used QR codes in the early weeks of October 2023. But, if these codes were invented in 1994, why are cyber criminals just beginning to use them now?

Cyber criminals follow typical digital trends. The key to phishing is to seem authentic. The easiest way to do that is to target people in the most popular digital spaces. When people began texting, cyber criminals began SMS phishing. When people became obsessed with social media, cyber criminals began social engineering on social media. So, when QR codes became a part of our daily lives, especially during the pandemic when businesses wanted most things touch-free, you bet cyber criminals jumped at the opportunity to use a new format for phishing. 

On top of this, QR codes are used to be quick and easy. They are replacing links because it only takes a few seconds to pull out your phone and scan rather than type out a whole URL. Urgency and ease is the best environment for cyber hacking. People aren’t paying attention, they just want to get a task done, so they aren’t taking the time to double-check the URL preview or reach out to an employee to verify. 

Cases

QR code phishing can easily target many individuals across different industries. For example, this year Cofense has been tracking a major QR phishing campaign that is targeting professionals across different industries, but heavily targeting those in the energy industry. The campaign used QR codes claiming to redirect employees to a Microsoft Bing domain to authenticate their accounts. The URL sent employees originally to a Microsoft website but then redirected them to a malicious website after credentials were entered. So far the study found that 29% of 1,000 emails successfully obtained login credentials of employees. 

Another scam targeted individuals, by claiming to be FedEx or DHL demanding pay for customs duties. The victims would scan a QR code and be taken to a fake bank card entry page. 

How to protect yourself

Source verification 

Verify the QR source before scanning. Start by asking yourself, were you expecting this message? Have you received verified communication from this sender before? Does moving onto your mobile phone to complete this action make sense?

Take verification a step further by contacting the sender to confirm the purpose of the QR code message. If it is from a personal contact, reach out to them on another channel such as text or phone call. If it’s a company like FedEx or Microsoft, call their customer service line or check their website for any information about the mentioned update or action steps. 

URL previewing & analyzing 

Use the link preview feature on Smartphones before following the scanned link to the website. When you scan a QR code, a preview of a link will pop up. Before clicking, take a look at the URL and see if it matches the confirmed website address of the sender. If it doesn’t match, avoid going any further and report the QR code to a verified source of the claimed sender. 

How to protect your business & employees

The best way to protect your business and employees from QR code phishing is to encourage them to follow the advice from above. Ensure that they follow these procedures when scanning any QR code and understand the possible consequences of clicking on a malicious code. Additionally, you should: 

Share blogs & articles 

Share any relevant articles or blogs (like this one!) in your organization’s Slack channel or chosen messaging platform to raise awareness about QR code phishing. Keeping these conversations casual can help encourage organic conversations about QR codes and the potential risks around them. 

Have a module on QR phishing 

Integrate a dedicated training module on QR code phishing in your security awareness program. By having a dedicated module on QR code phishing, your employees will understand that the topic is just as important and common as other phishing methods. It will also allow them to ask any questions they have about QR code phishing.

Curious about implementing customized courses for your employees? Schedule a call with us. 

Focus on culture & take away urgency 

Foster a cyber security culture that emphasizes the importance of verification over immediacy. Encourage employees to take a moment to analyze QR codes rather than succumbing to the urgency they may feel to get a job done. In a culture of getting things done rapidly, employees are more likely to make mistakes. 

QR code phishing has emerged as a potent weapon for cybercriminals. By understanding the nature of QR code phishing, staying informed about real-world cases, and implementing proactive measures, you can empower your team to navigate the digital landscape with confidence and resilience. Stay vigilant, stay informed, and let’s collectively build a cyber-secure future.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.