QR code phishing: the latest cyber threat

One fact every cybersecurity professional remains savvy to is the understanding that threat actors never stand still, and cyber threats are always evolving. As a result, one needs to subscribe to consistent innovation in threat detection and prevention.  

QR code phishing is the latest new cyber threat that is gaining serious traction. Because, whilst they are havens for marketers to redirect from posters and billboard, they can lead to relaxed security behaviours and users scanning unauthenticated data. 

CyberNews data reveals that 86% of smartphone users had scanned a QR code at least once, with 36% of users scanning at least one QR code a week. QR code usage is high with half of smartphone users saying they found QR codes made their lives easier. The popularity of QR codes cannot be overlooked.  

Martin Smith, founder of SASIG (Security Awareness Special Interest Group) said: “The use of QR codes has regained popularity during the pandemic, particularly with NHS Track and Trace and ordering lateral flow test kits. Also, publicly displayed information, such as timetables and menus at bars and restaurants, have introduced QR codes to make it easy for customers to visit a website. Cybercriminals are including QR codes into phishing attacks, a practice known as Quishing. Unsuspecting users inadvertently scan fake QR codes that take users to fake and potentially harmful sites." 

The data behind QR code phishing security is very worrying. MobileIron data reveals that 71% of mobile users surveyed were unable to tell the difference between a legitimate and malicious QR code. Furthermore, more than 1/5 of surveyed users did not have any mobile security to combat against malicious QR codes.  

To that end, we will be examining how threat actors are using QR codes for phishing schemes, as well as some advice on how to avoid falling victim to QR code phishing.  

What are QR codes? 

Now, QR codes are not new. They have been alive in some form since 1994, when a Japanese automotive company used the codes to log and track mechanical inventory and car parts. Developed by Hara Masahiro, an engineer at Denso Wave, QR codes hold 200 times more information than regular barcodes. The QR stands for ‘Quick Response’ and features both horizontal and vertical special barcodes.  

You can use a digital device with a reader/camera to easily scan QR codes to access the data stored inside them. Most modern day smartphones have now built in QR code scanner functionality in their standard camera application.  

Traditionally, an organisation or individual would use a QR code to redirect scanners to an app to download, a connection portal, or a website.  

Around 2015, QR codes seemed to be losing their appeal but due to the COVID-19 global pandemic, restaurants and other consumer-facing businesses needed a sure-fire way to minimise physical contact and maintain social distancing. Enter the QR code era. 

Now, QR codes are used everywhere for contactless payment portals, vaccination records and more! 

How does QR phishing work? 

Whilst the world rallied around QR codes for ease-of-access and its numerous benefits in a socially distanced world, threat actors were also catching onto the sheer number and presence of QR codes in the world. And, in a world where organisations and individuals are becoming more cyber aware about traditional phishing methods such as emails, QR code phishing offers cybercriminals a tangential social engineering avenue.  

In a traditional phishing email, the threat actor is trying to trick a user into clicking a dodgy URL link leading to a malicious website. As cyber awareness and training has grown and knowledge retained, rates of users falling for strange URLs has fallen. By using a QR code, the threat actor can mask a dodgy URL link behind a larger code that needs to be scanned. You cannot tell if a QR code is malicious by looking at it. 

Furthermore, many email filtering security systems that organisations have in place, only flag, and remove URLs or emails from suspicious sources. Many of these industry-used solutions do not have protocols in place for QR codes. Therefore, it falls to the user to be the last true line of defence against QR code phishing.  

Malicious QR codes are also worrying as they can be deployed in physical real world locations. Imagine, if you will, scanning a QR code on an advertising board or menu item, only to be redirected to a malicious website. Cybercriminals could use the trust people have with physical locations to infiltrate their digital data.  

A timeline of QR code phishing incidents 

January to December 2020: Chinese QR code scams 

Throughout 2020, a China-based hacking group targeted civilians in China with millions of QR code based phishing attempts. Over the course of the year, these threat actors stole a collective 90 million Yuan, which totals $18.5 million. Users would click through an email they thought came from a trusted source such as a bank or employer, and unwittingly hand over money or login credentials for financial services.  

October 2021: Microsoft 365 Credential Theft  

In this phishing scam, threat actors used one compromised Microsoft 365 account to email colleagues within the same organisation with a voice note that could only be accessed by scanning a QR code. Once the code was scanned, the user would be asked to log into their Microsoft 365 account. As a result, threat actors gained access to many more Microsoft 365 accounts and their attached data.  

December 2021: German Banking QR Codes 

German users of mobile banking apps started getting emails that appeared to be from their official bank. These emails were carefully crafted with logos and even followed official communication guidelines of the German banks. In the email, a seemingly innocent QR code would prompt users to change their data privacy settings and link to a malicious URL that attempts to trick users into entering their banking login details.  

January 2022: Texas Parking Meter QR codes 

In Texas, law enforcement agents found a host of parking meters that had been labelled with fake QR codes. These QR codes redirected motorists to a hijacked payment portal. In the end, motorists were both paying scammers rather than the official authorities and receiving legitimate fines from said authorities who thought they were not paying.  

QR code phishing: the cybersecurity response 

In early 2022, the FBI issued an advisory warning that QR code phishing will be a massive threat for the near future. As a result, we have put together some suggestions on how to improve your awareness and response to QR code phishing scams: 

• Security Awareness and Training: The reason threat actors are having to use methods such as QR codes is because they are seeing less and less returns from traditional phishing methods. The beauty of this is that the reason they are failing with traditional phishing, is the very way we will combat QR code phishing: training and awareness. Security awareness programmes, when delivered engagingly and consistently will improve awareness of cyberthreats and prevent employees from ever falling for them. 

• MFA (Multi-Factor Authentication): The goal of 99% of phishing attempts is to either instigate the download of malicious files or gain access to login credentials. When you use multi-factor authentication services, you install an extra layer of defence for any employees who are slacking with their password and account security. 
• Verify before scanning: Whether you receive a text message from a colleague or an email from a manager, contact that person directly before you scan the QR code to make sure they have not been hacked. If a QR code appears to come from a trusted source, it is still wiser and safer to double check.  
• Be wary of short links: If a QR code is redirecting you to a URL-shortened link, you will not know where the code is directing you and it could be hiding a malicious URL. 
• Keep an eye out for signs of tampering: Some threat actors mislead consumers by altering legitimate materials such as brochures and ads by placing stickers over legitimate QR codes.  

Cybersecurity and a world of emerging threats 

We at TSC are always hammering home the mantra that new cybersecurity threats are always emerging, innovating, and waiting to pounce. When your organisation closely monitors the landscape and reflects cyber risks in training and development, you give your employees the power to detect, avoid, and report QR code phishing attempts. 

If you would like more information about how The Security Company can help deliver security awareness training, raise awareness, increase security skills, and establish a secure culture, or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.