In today’s world, where mobility and convenience are key aspects, QR codes (Quick Response codes) have become an integral part of our daily lives. With their help, we can quickly access various content – from websites to bank transfers – without the need to type long URLs or other data. However, like any technology, the use of QR codes, in addition to obvious benefits, also brings certain risks, especially in the context of cybersecurity. It’s worth knowing these risks to protect yourself.
QR codes are used in marketing, logistics, education, banking, and even healthcare. Their ubiquity and simplicity of use are significant. The COVID-19 pandemic and the widespread recommendation to avoid physical contact with potentially infected objects greatly amplified the use of QR codes. The ability to obtain information without direct contact proved to be a hit, especially when we can use them to validate a public transport ticket, make a payment, or even check a restaurant menu.
Do you know how to create a QR code? They know how to “alter” it and make money from it…
Creating your own QR code is very simple: just use one of the many online generators that allow you to incorporate a company logo into the label. Unfortunately, this also opens the door wide for cybercriminals. Quishing (phishing that uses QR codes) is a type of fraud where a manipulated code is used: scanning it leads, for example, to a fake website set up by criminals. It’s important to consider this and avoid scanning QR codes from unknown sources. Such a code, despite having a known company’s logo, might lead to a completely different place than expected and instead of opening the expected website, could install malware on your device, remotely execute harmful queries, or even allow remote control over your device. It can be particularly dangerous if this method is used to take over the second factor of authentication by enabling the sending and receiving of messages.
How does a quishing attack work?
Here are few potential scenarios:
- City parking meter/ticket machine/snack machine. A criminal covers the legitimate QR code with their own, redirecting the completed payment to the criminal’s account.
- Tickets for events bought online or from scalpers may contain a fake QR code, supposedly granting access to the event. With such a fake ticket, event security will deny entry, leading to financial loss and disappointment for the user.
- A fake email impersonating a trusted service provider. A known example is using multi-factor authentication for Microsoft Office 365, requiring renewal. The code redirects the user to a fake site where they are asked to enter their login and password. Such an attack cleverly bypasses computer security and shifts the attack vector to a mobile device, which typically has weaker security than a computer.
QR codes – benefits vs. threats
QR codes are a powerful tool that significantly eases access to various content and information. However, with growing accessibility and the popularity of scanning, the risk related to data security and user privacy also increases. Therefore, awareness of potential threats is crucial, both for users and creators, who should take appropriate precautions. Education, common sense, adherence to best security practices, and regular security updates are key elements in ensuring the safe use of the digital world’s benefits.
Although the risks associated with using QR codes should not be underestimated, they still represent a valuable communication tool if appropriately planned and implemented. Unlike traditional printed materials, content under a QR code can be easily and quickly updated. This is particularly important in a world striving for sustainable development, reducing CO₂ emissions, and forest conservation.
The use of QR codes
For marketing, a significant advantage is the ability to track the effectiveness of an advertising campaign, such as tracking the number of people who scanned the code on a given medium. This allows for easier interaction with the brand, such as through easily downloadable quizzes, surveys, or contests, and a better understanding of customer behavior to refine marketing actions.
This tool is also excellent in education, providing additional materials that support the learning process. Museums can use it to offer visitors access to exhibition information in different languages, enhancing the experience with, for example, video materials showing the real application of an ancient tool, the excavation and restoration process, or the course of an experiment. This can increase the effectiveness of teaching, and the museum itself can more efficiently gather feedback on how to improve its exhibitions to better reach new generations.
Actions involving QR codes unfortunately lack universally accepted and applied security standards, which, combined with underestimated yet highly effective social engineering and low public awareness of IT security, offers cybercriminals a wide range of attack opportunities. Should this discourage you from scanning QR codes? Absolutely not!
Awareness of the threats is the first step to improving security
As a QR code technology user, remember to exercise limited trust and check URLs before opening them in your browser. Organizations and companies using QR codes – especially if they place them in public spaces – should remember to limit easy access to them by unauthorized persons and regularly verify their correct application and set redirections.
