Are cybercriminals really using fake QR codes to steal your financial information?
In January 2022, the FBI issued a public service announcement warning people of a new trend: cybercriminals are allegedly taking advantage of Quick Response (QR) codes to redirect victims to malicious sites that can steal their credentials and financial information. Additionally, the FBI warned that QR codes may contain malware.
It sounds quite troubling at first glance, particularly with so many businesses now using QR codes to provide contactless services during the pandemic. Even Jen Easterly, the Director of the US Cybersecurity and Critical Infrastructure Agency, has a QR code on her business card – or so she perhaps jokingly claimed in a tweet.
But how concerned should you really be about QR codes as an attack vector?
In this blog post, we take a look at how fake QR code attacks work and whether it’s ever safe to scan them.
How QR code attacks work
Before we get into threat mechanisms, let’s get one thing straight: QR codes themselves are not malicious. QR codes are essentially just square-shaped barcodes made up of a number of squares and dots that represent binary code. When you scan the QR code with your smartphone, it translates the code into the data’s original form. QR codes are commonly used to direct users to landing pages, download apps, and send and receive payment information. More recently, QR codes have played a major role in tracing COVID-19 exposure and helping contain the spread of the virus.
Humans obviously can’t read QR codes with the naked eye, which makes it relatively easy for attackers to replace legitimate QR codes with their own malicious ones which link to their own sites. If you’re scanning a QR code to call up a restaurant’s online menu, being directed to a fake website wouldn’t be too much of a problem. If, however, you’re using a QR code to launch a site into which you’ll enter financial information, it’d potentially be a very big problem.
In January 2022, this is exactly what happened in Austin, Texas, when police discovered fraudulent QR code stickers plastered to more than two dozen public parking meters. People attempting to pay for parking using these QR codes were directed to a fraudulent website where they were tricked into submitting parking payments to a fraudulent vendor.
How worried should you be?
Despite the FBI’s warning and the significant amount of press attention that followed, the reality is that most people probably don’t need to be overly concerned about QR attacks.
There is a lot of hacking folklore – which I call “hacklore” – floating around these days, and some of it comes from otherwise trustworthy organizations. We’ve seen warnings recently that scanning QR codes can lead to malware on your phone and bank account compromises. These alarms are sadly not backed up by the facts. While nothing is 100% secure, the phone manufacturers have done a good job making sure QR codes don’t create a security problem for you. — Bob Lord, former CSO at the Democratic National Committee and CISO at Yahoo
While it’s theoretically possible to embed malware into a QR code in the same way that it’s possible to embed a game of Snake, it’s never actually been done. At least, not as far as either we or Bob Lord know. The reality is that phones are quite secure and it would be extremely hard to pull off such an attack. Bottom line: scanning a QR code isn’t going to result in malware being silently installed onto your phone, meaning this is not something you need to worry about at this point in time. Phishing-based attacks, however, are a real risk and, as noted above, there have actually been some real-world cases. Such incidents are, however, very rare. You’re far more likely to encounter a phishy email than a phishy QR code.
General protection strategies
Takeaway
Choose Your Package
Get your License Key immediately to your email when purchased via Credit/Debit Card.
Anti-Virus Security
Features
-
Scan & Clean
-
Layered Protection
-
Anti-Phishing
-
Anti-Ransomware
-
Emergency Kit
-
Management Console
-
Basic Remote Management
Anti-Virus Security
Features
-
Scan & Clean
-
Layered Protection
-
Anti-Phishing
-
Anti-Ransomware
-
Emergency Kit
-
Management Console
-
Basic Remote Management
Business Security
Features
-
All features from Home
-
Command Line Scanner
-
Runs on Windows Desktops & Servers
-
Remote management via Management Console
-
Email & Webhook Notifications
-
User Permission Management
-
Max 2 Workspace Admins/Managers
-
Max 10 Protection & Permission Policies
Need more Users License?