QR codes have become increasingly popular in recent years and are used in a variety of ways, from marketing to payments. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025. While QR codes offer a convenient way to access information, they also present security risks.
QR codes are essentially a type of barcode that can be scanned with a smartphone or other device to access information. This information can include URLs, contact information, or even payment information. While this makes it easy to access information quickly, it also makes it easy for malicious actors to access your data.
What is Qishing?
Qishing is a form of phishing that uses QR codes to direct unsuspecting victims to malicious websites or trick them into downloading malware. According to recent Trustwave Spiderlabs research, qishing emails appear similar to phishing emails, with the main difference being the inclusion of a QR code. These emails often mimic messages from legitimate companies, such as Microsoft or DocuSign, and are designed to trick the victim into thinking their session has expired and they must authenticate again. When the victim scans the QR code, they are sent to a fake web page that requests account and credential information. Qishing presents fewer “red flags” for defenses to detect, as most email filters check message content to block suspicious URLs and QR codes require shorter HTML source code to embed a malicious link.
Another security risk associated with QR codes is malware. Malware is malicious software that can be installed on your device without your knowledge. Malware can be used to steal your personal information or to gain access to your device. Malware can be hidden in QR codes, so it’s important to be aware of this risk.
Finally, QR codes can also be used to track your location. This is because the code contains information about where it was scanned. This information can be used to track your movements and can be used for malicious purposes.
Fortunately, there are steps you can take to protect yourself from these security risks. The National Cybersecurity Center (NCC) encourages good cyber-hygiene so that if a malicious QR code is scanned, there is a reduced chance of it creating harm. Here’s what you can do:
- Before scanning a QR code, make sure the web address is correct and looks legitimate. Watch out for typos or incorrect characters.
- Be wary of entering login, personal, or financial information from a website accessed through a QR code.
- If scanning a physical QR code on a sign, window, or placard, make sure it has not been tampered with.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive a notice to complete a payment through a QR code, contact the company to verify.
- Do not download a QR code scanner app. Most phones have a built-in scanner in the camera, which is safer.
- If you receive a QR code that you believe to be from someone you know, contact them through a known number or address to verify that the code is from them.
- If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.
While QR codes offer a convenient way to access information, it’s important to be aware of the potential security risks and take steps to protect yourself.