QR codes are increasingly being manipulated by cybercriminals due to their widespread use and the reluctance of many users to verify their content. The dangers posed by malicious QR codes stem from several factors:
QR codes can encode URLs, contact details, payment information, and other data, but their contents are not visible until scanned. Cybercriminals exploit this by embedding malicious URLs that lead to phishing sites, malware downloads, or other malicious actions. To make matters worse, most QR code scanning applications make it difficult to preview the destination of the encoded URL. As a result, users may unknowingly visit unsafe websites or install malicious software.
QR codes can redirect users to fake websites that mimic legitimate ones. For example, a code might direct a user to a fraudulent bank login page where credentials are stolen. QR-based phishing, or “quishing,” is becoming a common tactic.
Some QR codes can trigger actions automatically, such as sending a text message or making a payment. A malicious QR code could initiate actions that could result in financial loss or personal data exposure without the user realizing it.
Cybercriminals may tamper with legitimate QR codes, especially in public places (such as restaurants, parking decks or event venues), by placing fraudulent codes over the real ones. Users who scan these altered codes are directed to harmful sites instead of the intended resource.
QR codes are most commonly scanned with smartphones, which are the most common device used to store personal information. Malicious code can exploit vulnerabilities in mobile operating systems, resulting in malware installation, data theft, or remote control of the device.
QR codes don’t attract immediate suspicion because they are used for various legitimate purposes, including marketing, payments, and information sharing. The lack of a visual indicator or warning makes it easier for users to fall victim to attacks.
To mitigate the risks of QR codes, be sure to: