QR code scams are an increasingly challenging threat for people and businesses alike, with fraudulent activity on the rise.
QR phishing, or Quishing, is a cyber threat that is able to bypass the usual checks individuals make to avoid the common signs of phishing. It moves a cyberattack from a protected email environment to the user's mobile device, which is often less secure.
A fraudulent QR code might redirect a payment through a convincing third-party website, allowing hackers to capture credit or debit card information and use it to make fraudulent purchases.
Quishing scams continually on the rise
Whilst QR codes are now widely seen as a new, more efficient way to share website links and information, or make payments, this convenience can be exploited. In fact, the number of QR code scams in the UK has soared, with over 400 reported this year alone and 1,200 investigated by Action Fraud since 2020.
QR codes have become immensely popular with businesses, as they can enable the sharing of critical information and other communications. However, in an ever-increasing threat landscape, it is inevitable that forms of exploitation do occur. A particular concern associated with QR codes is that they are viewed as less secure and so are not ideal for sharing confidential data.
For businesses, the impacts of such a cyberattack could be devastating. Fake QR codes created by bad actors could lead customers to fall victim to phishing scams, data breaches, or fake payment portals.
Microsoft has offered advice for identifying the different types of QR code scams, stating: “Using QR codes for payments was extremely popular during the height of the COVID-19 pandemic since it allowed customers to make purchases without touching card readers, minimising the spread of germs. However, scammers can place QR codes in public places to steal your money or credit card information.
“Make sure the URL seems legitimate and that it isn’t a misspelling of a real URL (for example, “Microsaft.com” instead of “Microsoft.com”).”
Threat actors exploiting everyday people, affecting business trust
2023 has seen a new era of new cybersecurity threats with cybercriminals leveraging sophisticated methods to exploit vulnerabilities and gain unauthorised access to sensitive information.
Issues of Quishing scams have been raised again in 2023 when a victim was scammed out of £13,000 by a fake QR code at a railway station. The BBC reported that they were sent to a fake website which allowed the cybercriminals to redirect payments and card information, which resulted in the victim losing thousands of pounds.
This type of incident could result in some public mistrust of new technologies, ultimately impacting business use of the product itself.
James Dyer, Threat Intelligence Lead at Egress, comments: “When QR codes were first introduced in the 2010s, people were very sceptical of this new technology as they didn't really know how they worked and approached them with extreme caution. However, time and exposure have relaxed people’s attitudes.
“In recent years, multi-factor authentication apps have featured QR code verification, which has further eased people’s nerves and increased trust in using QR codes. Unfortunately, cyber gangs have been waiting for the perfect moment to strike. The sweet spot for them is where tech transitions from being new and alien to being used daily; this is where familiarity can breed complacency, and people scan QR codes without additional thought, making them more susceptible to attacks.
He continues: “QR codes act like a barrier between the public and the website which it links to, so people can’t hover over the hyperlinks to see the potential end destination before choosing to navigate there. With malicious QR codes popping up everywhere including emails and posters, we've seen a surge in typosquatting (lookalike domains) which mimic trusted organisations like Microsoft.
“Simple practices to prevent a QR-code attack include being wary before scanning a new image – does it look like there’s a sticker of a new QR code over an existing one? Does the preview hyperlink look suspicious? If in doubt, head to the official website in a browser or ask a member of staff if you’re at a shop or restaurant before scanning.”
Please also check out our upcoming event - Sustainability LIVE Net Zero on 6 and 7 March 2024.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.