Unmasking QR Codes to
Ensure Digital Security
Quick Response (QR) codes are a convenient and popular way to access information, complete contactless transactions, and more.
However, QR codes also present security challenges and have become a popular target for malicious actors looking to steal information. It’s not easy to tell before scanning if the QR code is legitimate. It’s what makes this social engineering hack so worrisome.
Recently a malicious actor visited medical practices distributing business cards containing a website and a QR code. After further investigation of the business cards, the medical practice’s security team determined that the information on the business card pointed to a website domain and IP address commonly used by cybercriminals and scammers.
While the health center’s workforce displayed common sense by alerting their security department to this unusual and suspicious activity, not all individuals are prepared to understand the security risks QR codes pose.
Understanding the Security Risks Connected to QR Codes
- Data Theft: Because QR codes can store personal information, cybercriminals can use them to access your sensitive information.
- Fake QR Codes: It’s easy to generate a QR code, making it easy for attackers to replace a legitimate QR code with a fake one. An attacker can do this by placing a sticker over the original QR code or producing QR codes that direct you to a deceitful site.
- Malicious Links: Links to phishing pages or fraudulent sites can be connected to QR codes. After scanning a code to a malicious link, users may find they have exposed themselves to identify theft, malware, or sophisticated scams.
- Malware Downloads: Once a malicious QR code is scanned, it can prompt a download of an app or file, leading to malware being installed on the user’s device. This is also known as QRLjacking.
Security Measures You Can Take
- Security awareness training for your workforce improves your business’ security posture and encourages your workforce to protect their personal data. Educate your workforce about the risks associated with QR codes and how to identify risks.
- Maintain software updates on any mobile device your workforce uses to access corporate resources. Your security department may also want to provide security software that protects against device takeover or phishing attacks.
- Verify QR scanner apps are from reputable app stores like the Apple App or Google Play stores. Use QR reader apps with built-in security features. Some apps give a preview of the link’s content and check the link against a database of known malicious links.
- Regularly monitor QR code usage for any code your organization has created for products or marketing purposes, especially if the code links to a request for sensitive information such as medical records requests. You may want to encrypt the QR code to protect it from unauthorized access.
- Implement multifactor authentication (MFA) for your organization. Malicious actors design QR codes to trick users into entering their passwords to steal their credentials. MFA practices make it harder for hackers to gain access. Include passcode use on organizational phones, devices, or laptops to help prevent physical access to these devices.