Holiday season cybersecurity alert: QR code phishing scams
Thanks to the proliferation of smartphones, QR code usage globally has surged by 57 percent, and by 2025, it is forecast to increase by another 22 percent. And up to eight new QR codes are generated per minute globally.
It is no surprise then why QR codes are everywhere -- on billboards, shopping malls, event brochures, restaurant menus, charity websites, parking spaces, you name it! Of course, the genius of QR codes is their ease of use and convenience. For users, one scan and the job is done, be that registering for an event or purchasing an item.
The brilliance of QR codes is not lost on scammers. This ubiquity of QR codes presents an immense “quishing” (QR code phishing) opportunity to cybercriminals. Scammers place fake QR codes in busy physical and online public areas or embed them in phishing emails and bogus social media ads to trick users into visiting malicious websites. They’ll also set up email ids, URLs, and web pages that impersonate legitimate organizations, especially those that sell sought-after products in the run-up to the holiday season, to trick users into providing their payment details.
Understandably due to the prevalence of these grid-based black and white squares, people habitually scan these codes, simply assuming they are genuine. While ease of use and speed of transaction are the very reasons for their popularity, the issue is that there is no room for oversights -- one scan and the user can be phished!
QR code verification is a challenge
Simple to scan, but QR codes are extremely difficult to authenticate. In the case of suspicious links, users can be cautious and vigilant. Malicious QR codes, however, can be seamlessly placed in public spaces, emails, or websites, making detecting their malicious intent challenging. Once scanned, these codes redirect unsuspecting users to fake websites or initiate malware downloads – and users don’t even get to know.
Smartphones and tablets are predominantly used to access QR codes, and this gives criminals a further opportunity. These devices are potentially less secure, and so the threat actors can isolate the victim from machines where antivirus technologies are typically installed, such as PCs and laptops. Better still, when using QR codes to lure victims, criminals don’t need to include the actual malicious or phishing URL inside of their phishing emails, thereby bypassing some email security protections that incorporate URL scanners.
Essential QR code safety tips for mobile phone users
When it comes to QR codes, the holiday season is an especially lucrative playground for scammers. Preying on shoppers’ excitement to grab those irresistible bargains, scammers deploy crafty QR codes to trick and lure unsuspecting victims with enticing joyful, and celebratory schemes. It’s worthwhile for individuals to take a pause and inspect the QR code before intuitively scanning.
Some tips. Resist the temptation to blindly scan a QR code, no matter how authentic it might seem. Opt for apps that can preview the URL linked to the QR code before visiting the site. This simple precaution will provide the chance to scrutinize the destination and make an informed decision about whether it's safe to proceed.
Be very wary of QR codes found on unsolicited mail, flyers, or in unusual locations. Scammers love to use these methods to lure innocent victims into their schemes. If an offer appears too good to be true, it likely is. Err on the side of caution and avoid scanning the code altogether. Also, be sure to check if a QR code has been stuck over the top of an existing one -- this should be a red flag before you even think about scanning the code.
Essential QR code safety tips for businesses
Organizations too must take steps to proactively protect their business operations and customers, especially as the QR code is a fantastic tool to help deliver personalized experiences, maximize reach, and boost sales during the holiday period.
Foremost, consider investing in technology solutions that provide multi-layer QR code security, and help to validate the authenticity and security of QR codes in business operations. Technologies exist that perform comprehensive scans of QR codes, analyze the underlying URLs and data, and offer essential safeguards against quishing threats. Incorporating these advanced security tools can bolster the defenses of the business while instilling confidence in customers who use those QR codes.
Develop strategies for managing QR code protocols including their creation, distribution, validation, and traceability. More crucially, strictly enforce these guidelines. Through such detailed oversight, organizations can reduce the risk of unauthorized or compromised QR codes entering their operational ecosystem.
Last but not least, make cybersecurity education an organizational priority. No matter how sophisticated and advanced security tools become, security education plays a critical role in threat prevention. As we approach the holiday period, coaching employees on the risks of QR code phishing and the tactics used by malicious actors for holiday season scams should be a priority. Use training that reflects real-world scenarios. For example, create a QR code phishing simulation for employees that appears within the context of your organization and closely mimics the workings of the business. Likewise, utilize a QR code email that has been received by your organization and repurpose it into a phishing simulation using tools and templates that are available on the market today to make it appear as life-like as possible, to test employees’ vigilance.
In a nutshell, organizations must interweave layers of defense -- from educating the workforce to implementing stringent QR code policies to embracing advanced security technologies -- to protect their business and customers from quishing. This kind of holistic approach will enable organizations to truly benefit from QR codes, a tool whose usage is forecast to grow exponentially across industries, globally. Considered and safe usage is the only option.
Sam Mayne is Product Solution Analyst, VIPRE Security Group.