Combatting the Rise in QR Code Phishing

Technology users have become increasingly aware of social engineering and phishing tactics through email that impersonate powerful organizations and people, manipulate employees, and prompt actions that benefit bad actors. But just as technology evolves, so do criminal tactics.

According to online QR generator, QRTIGER, dynamic QR code scans increased 433% globally from 2021 to 2022, with scans quadrupling in 2022 alone. The convenience of smartphones with embedded cameras and touchless use of QR codes creates a breeding ground for the latest round of cybercrimes affecting corporations and consumers.

The FBI has released warnings that cybercriminals may tamper with QR codes to direct victims to malicious websites. With that in mind, here are some tactics and tips to help employees and consumers stay safe:

What is QR Code Phishing?

QR code phishing is a social engineering attack that embeds a malicious link within a QR code that users access via their camera-enabled smartphones. These links take users to unsecure websites or deploy malware on the user’s device to steal usernames and password data or other personal or sensitive information. This is typically referred to as “QRjacking.” Email phishing has been easier for cyber-educated users to identify because there are typically red flags in the sender’s address, request or other details in the email, but QR code phishing gives no outward sign that would cause any concern or question of legitimacy.

What is the Potential for QR Code Phishing in the Physical Realm?

A QR code scam can be executed outside of a digital-only space by placing fake QR stickers over real ones. People often believe the codes in public spaces like restaurants and stores are safe, which is an opportunity for bad actors to re-direct users. After scammers targeted citizens in Texas and North Carolina, police departments and the BBB alerted the public about such schemes being deployed in public parking areas. Fake QR codes were placed over legitimate ones on parking meters to trick the public into entering their payment credentials into a phishing website.

How Is the Industry Responding?

Cybersecurity organizations are responding to the uptick in QR code scams to further reduce the impact to potential victims, just as it has done with other communication platforms. KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, has launched a no-charge QR code phishing security test tool to complement its existing suite of phishing education and prevention tools. The tool helps organizations identify users who are most susceptible to scanning malicious QR codes. Comprehensive awareness building and tracking is an ongoing need in order to keep pace with technology.

Steps to Protecting Employees from QR Code Fraud

1. Run Security Updates on Mobile Devices: Any device that has access to corporate resources should have regular security software updates.
2. Educate Users Regularly: Ensure your organization has a formal Cyber Awareness Training program in place. Require new employees to complete this training at the time of onboarding before they are given access to critical systems and data. Educating employees regularly on new tactics and educating them on tips to protect themselves and the organization against the latest cyber threats has the biggest impact on changing behavior and preventing security incidents.
3. Work Toward Eliminating Passwords: Implementing multifactor authentication (MFA)requirements across the organization is an effective means of minimizing attacks; however, working toward eliminating passwords is an important goal for the long-term. Many QR code-based attacks are trying to trick users into providing passwords so that cybercriminals can steal credentials. When an organization isn’t password-dependent, these attacks are no longer a threat.
4. Security Trigger: Identify changes in business practices or processes and verify the change from the source. Part of the threat actors’ process is to test new Tactics, Techniques and Procedures (TTP). The combination of obfuscation tactics, coupled with hiding URLs inside QR codes and embedding them into an image or PDF file attachment, helps threat actors test their ability to bypass email security. There are two Cyber Awareness Training opportunities here:

• Email recipients should ask themselves, “Have I ever been asked to take this action before?”. If not, they should call or contact the legitimate sender to confirm the use of QR codes in future transactions. This is extremely important when working with financial data, employee data, contracts, or your organization’s intellectual property.
• Help already taxed IT teams by bringing this new email threat to their attention. In the vein of if you see something, say something, report this activity as suspicious by notifying your IT team that you are beginning to receive messages with QR codes and asking if IT has a way to scan them for suspicious links or malicious activity.

Preventing QR code phishing is just one way to improve cyber hygiene across an organization. For more information on how Red River’s expert cyber team can support your organization’s security posture, contact us: info@redriver.com.