The Problem with QR Codes

QR codes have become an easy way for companies to promote themselves – now that everyone carries a barcode scanner in their pocket (their smartphone) why not take advantage of this to better connect with customers?

Well…. because it can also be a cybersecurity nightmare.

Cryptocurrency platform Coinbase recently made headlines by using their Super Bowl half-time advert to advertise themselves with a bouncing QR code that users could scan live from their sofas. As many pointed out, this is literally the equivalent of clicking a blind link in an email from an unknown sender – with users unlikely to have checked where the link will take them, or what information they’re handing over when they get there.

Worse still, even if a company’s own QR codes are harmless, it’s very easy to generate imitations online that are not – leveraging a larger company’s advertising as a way to scam users.

QR codes can all too easily be planted by third-parties as a way of tricking the unsuspecting – in particular, you need to be wary of the following scams:

 

Parking Meters
– A fake parking meter QR code, stuck as a label, acts in a similar fashion to phishing emails and the carding-devices cybercriminals have famously used on ATMs to steal card details. By re-directing the user to a fake payment portal to pay their parking, this catches those who might otherwise be a rush. See also: fake parking penalty tickets.

 

qr code phone call

SMS/Phone Codes
– QR codes are generally used from smartphones with calling and SMS sending abilities, so it’s possible to prompt the user to send a text message to a number. Handy for business, certainly, but risky if the user doesn’t realise they’re calling or texting a premium number.

 

qr code tweet

Social Media Share
– Scan here to automatically tweet a link from @Lineal! Unfortunately that link is easily manipulated, causing the scanner to potentially become part of further phishing attempts on their own twitter followers.

 

Connecting to Wi-Fi
– In public spaces, many businesses will prompt users to join their free Wi-Fi via QR code. Clever and convenient, but obviously easy to use as a mechanism for a man-in-the-middle attack by those whose fake Wi-Fi network is simply a trap set for the unsuspecting user who’s just trying to access their email in a coffee shop, airport or hotel.

 

Guidance:

Think before you click – does the QR code match the rest of their branding? Where does the link preview point to? Is there anybody/anywhere you can double-check?

Use a Password Manager – although you might not spot a fake website URL, a password manager that normally autofills only a password on specific sites will recognise the fake immediately.

Assuming the device doesn’t sit within the container of a firewall that’s likely to detect threats as you browse the web, companies issuing work mobiles & tablets need to also extend endpoint security software to those devices – the same way you might a work laptop for those working on the move.

Most importantly, users need to be regularly educated on the importance of recognising phishing scams with organised training – to build personal resilience that extends to whatever device they happen to be using.

 

For Cybersecurity expertise and support, contact Lineal today.