DEV Community

Cover image for Phishing Scams With QR Codes: A Hidden Menace
Aashi Agarwal
Aashi Agarwal

Posted on

Phishing Scams With QR Codes: A Hidden Menace

Reason Why QR Codes Have Been Chosen As Targets

The purpose of QR codes was to provide convenience. Users can easily visit websites, download applications, access services, and transfer information by simply scanning the code. It is due to this feature that QR codes are targeted by hackers. People have got used to scanning codes in restaurants, office environments, car parks, event venues, emails, and other places. Thus, a person does not treat a QR code like a regular hyperlink and tends to scan without paying any attention.
That makes a QR code phishing quite an efficient one. In many cases, victims do not click on a visible hyperlink; hence, they may not see all the signs of danger that usually make them stop. A malicious QR code can redirect users to a website of attackers which may include a login form, a credential harvesting form, or a malicious page.

How Does QR Phishing Work?

QR phishing, referred to as “quishing,” exploits the technique of hiding malicious purposes under the cover of a seemingly innocent square. The criminal uses a QR code in a message, flyer, e-mail, poster, packaging, or even a false security warning letter. Upon scanning the code, the victim gets redirected to the attacker’s website.
The latter may mimic a legitimate service, including Microsoft 365, Google, a bank, a courier service, or an internal corporate portal. This web resource may require signing in, payment verification, password reset, application installation or download. In addition, the website could contain other malicious components like a redirecting code or a malware installer.
The key element of this threat is not sophisticated technology but trickery. Indeed, QR codes are used so often now that people rarely check the destination address before clicking. Moreover, there are more chances for people to fall for phishing scams when using a mobile device due to its smaller screen and quick interaction with the Internet.

Why Does It Work So Well?

The QR phishing scam exploits human tendencies. Humans have been programmed to scan and go. When they see a code, they feel safe since it is part of their known environment or attached to a communication. Attackers understand that this is how humans are programmed and exploit it to get around the skepticism that would normally make a phishing email fall flat.
The other thing about QR phishing scams is that attackers have an advantage when it comes to detection by cybersecurity systems. These systems tend to be better at detecting links within texts than at analyzing QR codes in PDF files, posters, and even screens. The QR code can keep the destination hidden until the person scans the code.
Lastly, it works well because it transcends environments. Malicious QR codes may be posted on the physical world or on print documents, emails, or hybrid work environments. This makes it more difficult to block via a single control. An attack can go from physical to virtual in one scan.

Popular Scenarios of Attack

One popular attack scenario is using emails containing phishing QR codes. Rather than putting any malicious links, the attacker uses a QR code and encourages the user to scan the code to view a document, verify their account, or solve any issues. Some filters of the email program might not consider the image as malicious as a hyperlink.
The second scenario is physical replacement of the QR code. Attackers may replace authentic QR codes with phishing ones in public parking lots, hotels, train stations, or offices. If users scan such a malicious code, they may visit a fraudulent website asking for payments or to enter the credentials. In this case, because of the code’s origin, the user does not doubt its authenticity.
The third scenario can be a notification about any services. It can contain a message about the bills, passwords, and other things that require urgent action. The attacker asks the user to scan the QR code as a fast way to solve any problems.

The Risks To Individuals And Organizations

In terms of personal risks, QR phishing poses a danger of stealing credentials, taking over the individual’s accounts or payments, and introducing malicious software. For example, a compromised email or banking account can result in immediate harm, especially if the credentials are used right away. Additionally, if the passwords are reused, the consequences might expand to other online services.
As for organizational risks, the threat posed by QR phishing is even greater. One of the employees might scan a QR code which redirects him to a malicious single sign-on website and reveals credentials of the company. Such an attack can lead to accessing the network and stealing the information.
Besides, phishing can be conducted against such company resources as help desk personnel, finance department, executives, and people working remotely and using their mobile devices and cloud solutions. Finally, there is always a possibility of compromising the reputation of a company if its customers fall for a fake QR code.

What Makes A QR Code Suspicious?

A suspicious QR code may go along with urgency, pressure, or some strange instructions. The moment when the message requires immediate attention calls for a closer look at the code. The presence of the code from an unknown sender, a questionable printed material, or a slightly distorted document serves as additional warning.
Context also plays its role here. The user may not trust a code that asks them to log into the website, enter their payment details, install any software, or approve a request. Suspicious code always circumvents regular business procedures, and legitimate organizations offer other means to verify the request.
The user must pay attention to potential physical tampering. Layering of a sticker, misalignment of the code, and covering up another code serve as red flags. A code in a public place can never be considered valid just because it exists. An attacker relies on the fact that nobody would ever think about tampering with such a simple thing.

How To Defend Against It

The first step in defending against QR phishing is to create awareness that a QR code is no less dangerous than any other link just because it is presented as an image rather than a text. Training will have to teach the user to stop, check the source, and make sure the request is valid.
There must also be a way to verify links and requests by other means, so people do not need to blindly scan anything that looks suspicious. If the code is supposed to lead them to an internal portal, it must be made clear how this can be done.
The security measures applied to mobile devices are important. They must have up-to-date operating systems and secure browsers, with anti-phishing measures applied whenever possible. Even if a QR code brings one to a page for logging in, the domain name must be verified before anything else is done.

The Broader Implication

QR code phishing attacks are successful as it allows for the embedding of danger within a routine practice that has become second nature for users. Scammers have figured out how to take advantage of users' natural reactions towards the behavior associated with QR codes, allowing for quick and easy cyberattacks.
This is precisely why such an attack becomes so dangerous. Unlike malware attacks that require complicated systems, phishing requires only attention and trust. This means that the best protection is not to completely refrain from using QR codes, but to approach them with caution.
In terms of cybersecurity, the most successful scams are always the most everyday.

Find more resources on cybersecurity, threat intelligence, digital risk, privacy compliance, and consent management through IntelligenceX and ConsentX. IntelligenceX helps organizations identify and understand emerging cyber threats through focused digital intelligence analysis and investigations, while ConsentX empowers businesses to achieve global privacy compliance with comprehensive consent management, cookie compliance, and data privacy solutions.

Top comments (0)