QR code use grows in popularity but poses hidden risks
The use of QR codes has risen during the pandemic as they offer a perfect solution to contactless interaction. But many employees are also using their mobile devices to scan QR codes for personal use, putting themselves and enterprise resources at risk.
A new study from security platform MobileIron shows that 84 percent of people have scanned a QR code before, with 32 percent having done so in the past week and 26 percent in the past month.
In the last six months, 38 percent of respondents say they have scanned a QR code at a restaurant, bar or café, 37 percent at a retailer and 32 percent on a consumer product. It's clear that codes are popular and 53 percent of respondents want to see them used more broadly in the future. 43 percent plan to use a QR code as a payment method in the near future and 40 percent of people would be willing to vote using a QR code received in the mail, if it was an option.
However, QR codes are a tempting attack route for hackers too as the mobile user interface prompts users to take immediate actions, while limiting the amount of information available before, for example, visiting a website.
"Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication," says Alex Mosher, global vice president of solutions at MobileIron. "I expect we'll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company."
Almost three-quarters (71 percent) of respondents say they can’t distinguish between a legitimate and malicious QR code, whereas 67 percent are able to distinguish between a legitimate and malicious URL.
There's limited understanding of what the codes can do too, while 67 percent are aware that QR codes can open a URL, only 19 percent of respondents believe scanning a QR code can draft an email, 20 percent believe scanning a QR code can start a phone call and 24 percent believe scanning a QR code can initiate a text message. 35 percent are simply unsure whether hackers can target victims using a QR code.
"Companies need to urgently rethink their security strategies to focus on mobile devices," adds Mosher. "At the same time, they need to prioritize a seamless user experience. A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data, while maximizing productivity. Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes, even when a device is offline."
You can read more on the MobileIron site and there's an infographic summary of the findings below.