The rising threat of QR Code attacks

From track-and-trace to ordering from menus at restaurants, we have seen an increase in QR codes being widely used in multiple industries throughout the past year. The ease of use and accessibility the two-dimensional barcodes have offered customers during the pandemic has meant more and more companies have employed it as part of their business operations. 

However, the more mainstream the technology has become, the more attractive it is for cybercriminals who are now exploiting our increased familiarity with this technology by sending out targeted phishing emails containing malicious QR codes.  

How are QR codes exploited for fraud?

QR codes are used in phishing campaigns where they are combined with social engineering tactics. These phishing campaigns work on the principle that the victim receives a scam email with a QR code included, and they scan this code to complete a ‘required action’, such as securing an account, or paying an outstanding delivery fee. The fraudulent site will then gather any credentials the victim might enter, from usernames and passwords to bank details and social security numbers. In fact, this new threat vector has become so prolific that in January 2022, the FBI issued a warning about cybercriminals using maliciously crafted QR codes to steal people’s credentials and financial information.

Why are QR code attacks so appealing to cybercriminals?

Several factors make QR codes an appealing attack tool. Firstly, codes can be used in emails as a substitute for URL links or attached files that might get intercepted when scanned by the email gateway. This means that the attackers run far less risk of detection. The indirect nature of the QR code also helps to further disguise dangerous content; the QR code itself is not malicious and there is nothing to give one set of pixelated squares away as a potential threat. 

This, combined with our growing familiarity with the technology makes users more likely to trust a QR code in situations where they might have been suspicious of a normal link. And, because QR codes are “mobile-friendly”, the odds that an unsuspecting victim will scan it using a personal or otherwise unsecured device are increased, further boosting the attacker’s chance of success.

Can we expect to see a rise in these types of attacks in the coming year?

For cybercriminals, phishing attacks are a minimal effort for maximum results threat vector, meaning that phishing attacks exploiting the increasing public awareness of QR codes will only escalate in 2022. As more and more companies start using QR codes for business practice, the surface of legitimate activity for attackers to spoof will increase. However, it is important to note that the use of QR codes is part of a wider move towards mobile attacks, and that this year will see an increase in QR codes being used in malware campaigns as well. As part of mobile attacks, the illegitimate QR codes trick users into installing malicious apps via sites or app-stores. These apps have the potential to log every key stroke, steal credentials and data, and send expensive SMS messages from the victim’s phone.  

How then, can organisations best defend themselves against QR code attacks?

The increased use of QR codes and other novel evasion techniques in 2022 will force enhancements to detection technologies and user education. Most people know these days not to click on a link in an unsolicited email, but now the importance of scrutinising QR codes must be emphasised too. Remember, if the email or text message containing a QR code looks suspicious, it more than likely is.  

So, when an email with a QR code pops into a user’s inbox, rather than racing to scan the familiar square, they should carefully examine it to check if the sender ID matches the address and if the messages and logos are all correct. If in any doubt, the message should be referred directly to security teams - I think everyone would agree that it is preferable to take this small extra precaution than become the next victim of QR code fraud. 

Moreover, current email security is focused primarily on prevention, but still every single day businesses are falling victim to social engineering attacks. Organisations then are far better off accepting that employees will continue to be the target of phishing attacks, and that some will be successful at reaching their inbox undetected. This is where security awareness training is so critical, so that employees have the skills to recognise the signs of a phishing or social engineering attack.

It is also crucial that companies implement a robust, layered security strategy. This layered strategy should include real-time detection of zero-day and unique phishing threats. By adding real-time detection and automated remediation capabilities to identify and eliminate threats rapidly, we can minimise the impact of when a malicious email makes it through our defences.