Cyber
Cyber Liability: Understanding the Cybersecurity Risks of QR Codes
QR codes are useful but can lead to cybersecurity risks.
December 5, 2023
Quick response (QR) codes are a popular marketing, sales, payment and customer service tool for many businesses. However, as QR codes have become more prevalent, malicious actors have found ways to use them in phishing attacks and to spread malware.
These vulnerabilities can lead to significant financial and reputational damage, and businesses need to be aware of and mitigate these risks. This article provides more information on QR codes and their risks and offers tips on addressing their potential hazards.
What Are QR Codes?
QR codes are a series of pixels arranged to form a large square that contains a long string of data. They function similarly to a barcode. Code readers or smartphones can scan them, and often contain URLs so individuals can access websites without having to type in a specific web address. Once scanned, QR codes allow a quick and convenient way for clients to access a business’s information or leave a review. They can also prompt users to take specific actions, such as making a payment or downloading an app.
QR codes can be placed on various items such as posters, flyers, menus or billboards. They can also be included as images in digital communications sent through email or messaging apps.
The Risks of QR Codes
Although they can be a helpful tool, the nature of QR codes allows them to be exploited by cybercriminals. Since legitimate QR codes appear as a random scramble of pixels within a larger square, it can be difficult for users to differentiate between the safe and malicious ones. Additionally, QR codes may be standalone images, so they may not be accompanied by telltale signs of malicious activity, as is often the case with fraudulent emails (e.g., misspellings, suspicious links).
Businesses encounter risks from QR codes in a couple of ways: They are exposed to cybersecurity threats if an employee scans a malicious QR code, and if a company utilizes QR codes for business purposes, their legitimate codes can be manipulated by cybercriminals, potentially impacting their customers and their business’s reputation.
Examples of how cybercriminals can exploit QR codes include:
- Replacing or tampering with QR codes. Malicious actors may place their counterfeit QR code over a legitimate one or alter a legitimate one.
- Placing QR codes in high-traffic areas or strategic locations. Cybercriminals may place QR codes in high-traffic areas or near places that might seem connected to a location or object (e.g., on a parking meter). Curious passersby or those thinking the QR codes serve a safe function (e.g., paying for parking) may then scan the malicious code.
- Sending fraudulent QR codes in an email or through an app. Malicious actors may include a QR code in digital communication with language accompanying it to make the code seem legitimate.
Once the fraudulent QR code is scanned, a user may be vulnerable to various security issues, including:
- Quishing. This is a form of phishing where the cybercriminal seeks to steal an individual’s credentials, passwords or other personal data after a user accesses the website through the malicious QR code. The cybercriminal may use social engineering techniques to trick a user into thinking the website is legitimate and safe to enter their sensitive information.
- QRLjacking. This involves a cybercriminal spreading malware to an individual’s devices after a fraudulent QR code directs the user to a malicious URL.
- Device hacking. Under certain circumstances, a malicious actor may be able to access a user’s device if they scan a fraudulent QR code. The hacker then may be able to place a call, send a text or make a payment from the compromised device.
Mitigating the Risks of QR Codes
As cybercriminals increase their use of QR codes, businesses need to mitigate the associated risks. Strategies include the following:
- Provide continuous education to employees on the latest cyber threats and dangers connected to QR codes.
- Carefully examine QR codes to ensure they were not tampered with or altered before scanning them.
- Be cautious when scanning QR codes and double-checking the web address of the site they direct to.
- Install security software with content filtering that inspects links and attachments and blocks access to suspicious items.
- Maintain strict access controls to limit damage from malicious actors if they obtain login credentials.
- Utilize multifactor authentication systems to add a layer of protection to business systems in case employee passwords or credentials have been compromised.
- Advise employees not to scan QR codes if unsure of their origin.
- Keep all devices updated and patched.
- Disable automatic QR code scanning on devices.
- Review default settings and permissions regarding the sharing of sensitive information.
- Train employees on safely using their technology in a bring-your-own-device environment.
- Reduce the use of QR codes in electronic business communications to disincentivize cybercriminals from using them to target customers.
Businesses wishing to use QR codes can also take steps to protect their customers. Techniques to consider include:
- Using a reputable QR code generator and testing the QR code before distributing it
- Customizing the QR code to include the company’s branding
- Ensuring the linked website is strongly encrypted and has visible indications of SSL protection
Reduce Cyber Risks
QR codes provide a useful function, but they can also serve as an entry point for malicious individuals to steal credentials, insert harmful software, and compromise the security of an organization and its customers. This can lead to significant financial losses and reputational damage. By implementing cyber risk reduction strategies, companies can protect their business, employees and clients. Contact us today for information about cyber liability insurance and other risk management solutions.
Related Reading: Manage Cyber Risks to Limit Financial Losses
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.