Published: September 29, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
There’s danger now lurking behind those busy black-and-white boxes that are QR codes and that now seem to be found everywhere for everything, including viewing restaurant menus. Always a quick way scan for information, more businesses are using them now more than ever. A study by Ivanti takes a look at what’s really going on behind QR’s and their findings should make anyone think twice before they reach to scan a QR code with their mobile device.
QR codes started popping-up in 1994 for help with automobile manufacturing in Japan, but they’ve come a long way since then. The letters QR stand for “quick response” and Ivanti found 57% of survey respondents increased QR code scanning since mid-March last year. During the height of the pandemic, they provided a quick and safe way to get information for everything from restaurant menus to doctor appointments and prescriptions. But thanks to hackers, the word “safe” no longer applies to QR codes.
Are You a Good QR or a Bad QR?
As harmless as those busy little black-and-white boxes look, cybercriminals are often hiding behind them. Ivanti found 87% of QR users feel safe using them for financial transactions. However, they also found 31% of users say that after scanning a QR code, they were brought to a suspicious website or experienced something they were not expecting.
Hackers are using QR’s to redirect users to websites that look legitimate, but in reality, can steal credit card data and login credentials. Still others are brought to sites that automatically download malicious software onto the mobile device, compromising all accounts, apps and data they hold with no action required from the user. Unfortunately, the lack of security software on mobile devices helps facilitate these crimes.
The most common type of QRLjacking (Quick Response Code Login Jacking) is when a legitimate QR code used for cashless payments is replaced with malicious QR code that enables a hacker to transfer money out of financial accounts.
QR Code Alert Issued
An alert from the Army Criminal Investigation Command’s Major Cybercrime Unit lists the damage that malicious QR codes can do:
Send payments to a destination where they can’t be recovered
Add nefarious names and numbers to a contact list and send text messages to all on a contact list
Connect a device to a malicious network
Use the mobile device for calls to premium phone numbers, leaving the device owner with large phone bills
An Ivanti researcher summed-up the dangers behind using QR codes “The greater reliance on QR codes there is, the greater the likelihood that malicious QR codes will succeed as the avenue for installing malicious code, ransomware, or releasing contact or payment information from the mobile device…As QR codes continue to increase in popularity and use, they will undoubtedly be leveraged more and more by cyberattackers to infiltrate devices and steal corporate data.”
Always be sure the QR code you are scanning is as safe as possible. If you have any doubt, don't do it. As an alternative, you can go directly to a company's or restaurant's website to view information, for example. If that isn't an option, ask for something other than a QR code to get the information you seek.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org