In the world of phishing, there’s a new(ish) player in the game. A survey conducted by Ivanti revealed that in 2021, 57% of people surveyed claimed they were increasingly using QR codes each day. 87% of those asked also claimed they felt secure proceeding with monetary transactions via QR codes - but are they safe?
Firstly, how do QR codes work? QR codes have a similar formula to the barcodes that we use in supermarkets. This is because they’re the next generation of barcodes, and the technical term for them is “2D barcode.” The main difference is that 2D barcodes, or QR codes, can contain up to 100 times the amount of data that a 1D barcode can.
1D Barcode
2D Barcode
Realistically, anybody can create a QR code containing:
With such a broad range of uses, a malicious actor has plenty of opportunities to exploit QR codes, and there’s little that the end user can do about it. For example, an attacker can compromise a trusted site and replace a QR code that you’d normally trust with your payment information, making you send your money to the wrong person. This is just one of the many examples in which a QR code can be misused, and the sky is potentially the limit thanks to the ever-evolving methods of online criminals.
The rise in the malicious use of QR codes, in conjunction with the increased use of the technology, means that there’s now another thing that users must look out for to ensure that their information is secure. If you manage the security for organisations, you may have to educate your employees about the security risks of QR codes - and if you utilise them within your operations, it would be beneficial to your integrity to regularly check the QR codes used by the organisation, to ensure that they send or retrieve the intended data.
For both individuals and organisations, this doesn’t mean that every QR code you come across in the wild will be malicious and try to steal all your data. However, that doesn’t mean you should be oblivious to the potential risk. Malicious actors continue to become more sophisticated at the same speed as security professionals, if not faster - meaning that your security solution alone might not be enough to protect you completely. That’s why we recommend considering these precautions to minimise your chances of falling the victim of this style of attack:
Our partners at Lookout provide a bespoke Mobile Endpoint Security solution, which offers an array of endpoint security services, including phishing detection. Lookout can identify potentially malicious URLs and stop the end user from interacting with them. The user will be identified of the mitigated threat, and Lookout will alert the organisation of the activity - but won’t provide the exact URL to the organisation, as the privacy of the end user is kept in mind.
Along with Lookout, we at Cyber Security Associates also offer a host of other Mobile Endpoint Security capabilities, including Breach and Data protection. To find out more, you can watch our free Lookout webinar featuring CSA’s Technical Director, James Griffiths, and FluidOne’s Mobile Commercial Director, Ash Morarji, today. You can also get in touch with us for guidance or advice on all aspects of cyber security, from monitoring and detection to training.