Mobile Device Security: Essential Policies & Practices

The 2021 Mobile Security Index surveyed 856 professionals responsible for the procurement, management or security of mobile devices for their organizations. 

The survey found 60% of respondents considered mobile devices to pose the greatest IT security risk, and that 76% of respondents have faced pressure to trade mobile security for expediency. 

One of the key contributing factors to mobile security issues is the blurring of lines between personal devices and business devices. Security gaps arise where no clear policy exists regarding the use of personal devices for business purposes, or where policies are unenforced. The degree to which these instances are often exacerbated by the remote or hybrid work model is demonstrated in the data: as in a Lookout report which found a 364% increase in mobile phishing attempts between 2019 and 2020.

Employee devices fall into one of the following categories: 

BYOD, or Bring Your Own Device
Employee selects and owns device, primary use is personal.

CYOD, or Choose Your Own Device
Company-owned device chosen by employee from an approved list. Personal use may or may not be allowed.

COPE, or Company-Owned, Personally-Enabled
Selected and owned by the company. Personal use may be allowed in a sandbox.

COBO, or Company-Owned, Business-Only
Selected and owned by the company. Personal use is not allowed.

Regardless of which device ownership approach is used, employers should consider the following imperatives surrounding the use and regulation of devices by employees: 

Establish clear policies as part of a comprehensive program

  • With a CYOD, COPE, or COBO protocol, the variety of devices is limited to those chosen or approved by the employer. Therefore, if you are using one of these approaches security may be easier simply because of the limited variety of devices. However, a BYOD program means you’ll need to be prepared to secure a larger variety of operating systems and patches, and to address a more varied scope of vulnerabilities. 
  • Coordinate with your legal department to ensure you can enforce your policies in the event of a breach. For example: if it becomes necessary to examine or even to remotely wipe an employee-owned device.
  • As always, it’s essential to make policies accessible and understandable to all employees regardless of primary language—this may mean providing device security protocols in translation where needed.

Communicate and educate

  • Make sure all employees know what is expected of them regarding their device usage, especially when using a personal device for business purposes. Clear communication in this regard can mitigate instances of sharing devices with non-employees, password negligence, and/or inappropriate web browsing. 
  • Educate your employees about the potential dangers of shadow IT and backing up organization data on local or non-controlled devices. Vulnerabilities are created when IT cannot see or control the storage of sensitive information.  
  • Educate users on the importance of keeping applications and operating systems scrupulously up-to-date, as well as to the sensitivity of app permissions.

Implement technical protections

A zero trust approach may be optimal where device variety is larger. Because zero trust automates many security decisions, it can reduce the degree to which security relies on end-user choices.

A Mobile Device Management (MDM) solution can be used to secure and support devices remotely, particularly where a variety of non-homogenous devices are in use. MDM can isolate business applications in a “container” area, ensure patches and updates have been installed, and remote wipe a compromised or stolen device.

Additional best practices

  • If you use DLP (data loss prevention) to block the exodus of information, be certain to provide a legitimate, secure, and functional means of sharing files outside your organization
  • Provide an external-facing, memorable email for your employees to report a lost, stolen, or compromised device
  • Regularly rehearse your incident response plan to ensure quick, smooth deployment in the event of a breach

Learn more about mobile security management in conversation with your peers at the 2021 Information Security Leaders Content Week, a virtual forum October 18-20.
Join your peers virtually to discuss security trends and challenges through open conversation, presentations, and roundtable sessions.

Register to Attend

Crisis Leadership & The Evolution of Vendor Relationships: SINC Sits Down with Deena Swatzie, Truist Financial

SINC interview Nate Arnold GE

SINC’s Director of Content Annie Liljegren spoke with Deena Swatzie in August 2021, and has edited this interview for length and clarity.

My guest today is Deena Swatzie, GVP Cyber Security Strategy and Digital Innovation at Truist (formerly SunTrust), and who’ll be featured at our 2021 Southeast Forum, September 19-21 in Miami.

Thanks for being here, ma’am. I’m particularly excited to be speaking with you because your experience leading through the last 18 months took place under some interesting circumstances.

To refresh everyone on the narrative: Truist resulted from the merger of BB&T with SunTrust (where, in 2019, you were Group VP Cyber Security, GRC Manager). So the merger is announced February 2019, it’s completed in December 2019, presumably everyone’s geared up to tackle those resultant challenges—and then 2020 comes.

As you began to realize the scope of what would be required in addition to the anticipated challenges for that year, what strategy or value or mindset did you arm yourself with? What was crucial to navigating that period?

Deena Swatzie: Thank you, Annie. I think the biggest thing I’ve understood, from the time the merger was announced to today: you have to be able to adapt to change. You’ve heard that so many times over the years: change is good, change is inevitable, but in this particular instance, you really had to be able to adapt. Everything changed for us—this was not a simple acquisition where you’re making a couple changes to pull them into your organization—it was everything from top to bottom. Every department was impacted, and everywhere, and so I think that was the biggest challenge: trying to understand, and manage, and navigate through all the changes.

But the good part was, we weren’t the only ones in the middle of this. My team wasn’t the only one, and you as an individual weren’t the only one, we were all in it together. Working from a positive standpoint actually helped a lot during 2020.

“In this particular instance, you really had to be able to adapt.”

One might assume the dual circumstances made everything worse, that it was equivalent to steering through two storms at the same time. But were there ways in which the remote working conditions actually served as a benefit?

Deena Swatzie: As far as the merger, we had already anticipated all those challenges, so we were already going through the trenches with the merger itself. But when the pandemic hit, I think in some ways it was helpful not to have the extra stress of traveling or of going into the office. With everyone at home, you were at least not having to deal with implementing all of the social distancing guidelines, or being concerned about being in common areas with other teammates.

Of course there are other stressors that come along with being at home, but when you’re virtual you typically have a bit more time to focus on your work and you do lose some distractions. There’s always positives and negatives, but I try to always focus on the positives because the pandemic itself was just brutal for everyone, I think.

Understanding you’ll probably have to be vague here, but was there a process or a system that impressed you as having its value absolutely demonstrated—something you were relieved to have already done away with or to have in place?

Deena Swatzie: You’re right, from an organizational standpoint that’s a delicate question, but I think what you can say is that a situation like this provides an opportunity to build upon the strengths and successes of each organization. And this can be applied to any situation, right? It doesn’t matter what magnitude, how large or small companies are, or even what’s going on—I think you can always draw from the positive, which is to say, build on each other’s successes and strengths.

No one person and no one organization does it the right way, but when you look at both, now you have two versions. You get to see what works best for each one, and then you can decide what’s going to be best overall going forward. In some ways it makes it a lot easier, because you have something to build on.

What were you emphasizing to your team during this time? What did they most often hear you say?

Deena Swatzie: I think it goes back to adapting to change. One thing I really emphasized with my team was you are not alone, and we are all in this boat together. Whenever you’re sitting in meetings or engaging with other teams, realize they’re going through the same thing.

And the second thing was: ask as many questions as you want. This is a great time to ask questions, even questions that may not fully make sense. There’s no question that isn’t valuable right now, because somebody else is probably thinking the same thing.

“This is a great time to ask questions—there’s no question that isn’t valuable right now.”

I want to ask you about backlash to the ‘best of breed’ approach. We’re hearing some frustration from the community over the seemingly-endless array of products, especially where the tech doesn’t necessarily integrate well, or where an organization is only utilizing 10% of their already-implemented solutions.

How do we go about balancing customization needs with the benefits of consolidation?

Deena Swatzie: Boy, that’s a good one. A key thing I’m focused on, and what I think everyone is really focused on, is of course consolidation of tools. If you look at the research that’s one of the current trends—they call it ‘security organization evolution’—trying to plan for vendor consolidation. The goal is always to try to reduce the extreme complexity that comes from having so many different products, technology, applications, and so forth. Those costs will continue to drive up, so we need to simplify operations as much as possible.

I know it’s a struggle for the vendors, but I think the more their products—especially larger products—can plug and play with each other, I think that will help them in the long run. But it is a challenge for vendors and I wish I had the answer for them.

And I think everyone is looking at this issue. Everyone is thinking about cost, and the pandemic shed a lot of light on where people are really challenged with operational expenses. If you’re at home all the time, you look at things from a different angle now, and you have a different viewpoint: Do we need to spend as much money on all these different variations of products and services?

For us, we look at it holistically: we do need to consolidate more, but at the same time, maybe the vendor recommendation is to make sure your products can plug and play with everything that’s out there. The more a product can interact the easier it would be to utilize.

Given those concerns, how could vendor relationships evolve into something that’s more valuable to organizational leadership? Or put another way, what could the ideal vendor relationship look like in the future?

Deena Swatzie: That’s a great question, and a very difficult question to answer. To be honest, I’m not really sure what vendors could do differently. All the vendors are really trying to establish relationships with all the different companies, and well they should—that’s how you get your product out. And there’s so much competition.

Maybe it’s just truly understanding your customer and understanding their business, and being a bit more…compassionate instead of sales-oriented. Maybe that’s the key: thinking about what your client’s needs are and if [what you’re offering] is really the right thing for them.

I would also encourage vendors to be patient. Many of us are going through so much change and planning strategically for the next several years. Just because a product can do a certain thing—we have to look at the business side, what we’re doing, what we’re challenged with. We may have other requirements that they can’t meet and so we’ve got to consider everything. We’ve got to look at our infrastructure, we’ve got to look at customer impact.

It’s like buying a car. Sometimes you want to take a good look, but you’re not buying a car today. That’s the analogy: allow us the opportunity to keep those relationships and let us look at it, let us figure it out, but we need time to be able to determine the best fit.

We have to look internally at what’s going to provide real value before we can make decisions, and it takes time. It is not something we can just make a decision on tomorrow, and say, Great new product, great bells and whistles, we should go use it. There’s a lot of things to consider, especially when it comes to security around what products we want to use.

So be patient, establish those relationships, keep those relationships. And understand that we may not be able to use something, but it doesn’t mean we shouldn’t maintain the relationship.

The most critical part is just to be patient. If you maintain that relationship, then I’m always going to be thinking about going back to that Lexus dealership.

“We may not be able to use [a given product], but it doesn’t mean we shouldn’t maintain the relationship.”

Looking ahead, what’s top-of-mind for you as far as something you wish was getting more consideration, or something that is receiving a good deal of attention, but you think the conversation around it could improve?

Deena Swatzie: I don’t think we know how to deal with the unknown. We don’t know how to plan for the unknown. I don’t even know that we can, but that’s exactly what concerns me.

There’s always something new that pops up and takes our focus—for example, there’s so much attention on ransomware right now. But how do we look at things from a viewpoint of trying to identify what the new potential type of threats are going to be? There are some companies that do some threat analysis, and there’s a lot of us that work with different organizations to pull in the data points and do some analytics, but I think it’s always going to be a challenge trying to determine that next unknown, trying to determine what’s brewing.

If you look at Gartner or Forrester, they’re telling you what’s coming down the line in the next two to three years, or what’s hot right now, but we still don’t really know because things change daily. Things are changing constantly—our environment is changing, the threats are getting more advanced.

We can always address what’s going on today, but how do we get ahead and plan for, or at least plan to be more prepared for, what’s coming? That’s what I’m always thinking: How do we get ahead of it?

More with Deena Swatzie at SINC’s Southeast Forum, Sept. 19-21 in Miami.

Apply to Attend

AL:  Is Matt Ryan worth bringing back without Julio Jones?DS:  I’m disappointed Julio’s gone. I don’t know what the deal was but Julio didn’t seem happy. If you’ve watched the special that they did on Michael Jordan?AL:  Right, ‘The Last Dance.’DS:  Yes, and there’s another one on the Detroit Pistons. It’s so funny when they look back at all of those players and ask why they made the decisions they made to move to different teams. And it was all whining—just like Oh well, you know, I didn’t feel like they really wanted me, or because this person was trying to be the head of the team, or Shaq was coming in.AL: (laughs)
DS:  Michael Jordan has a big ego too, but he made the best of it at Chicago. So to me when they start jumping around like that it’s usually because they’re getting unhappy at the wrong things—you need to stick it out.AL:  You know, this has been delightful.DS:  It really has. Hopefully, things will get better and we will be there on-site to see you all in person.AL:  Here’s hoping. Thank you so much, ma’am.
DS:  Thank you.

Talent Management in the Generational Divide: SINC Sits Down with Nate Arnold, GE Gas Power

SINC interview Nate Arnold GE

SINC’s Director of Content Annie Liljegren conducted this July 2021 interview, which has been edited for length and clarity.

I’m here with Nate Arnold, VP & CIO Operations and Software Engineering at GE Gas Power, who’ll be featured at our 2021 Southeast Forum, September 19-21 in Miami.
Nate, you were originally slated to speak at last year’s (cancelled) event but your topic, “Leadership Within the Generational Divide,” has only increased in significance. How are you thinking about this subject now as compared with February 2020? Have the essential questions changed?​

Nate Arnold: Yes, thanks again for the invitation. It seems like a lifetime ago in February 2020, when we were first talking about this…
A couple of reflections for me: When I first thought about this topic and previously explored it with some colleagues in GE, we were debating the colocation for software development with what we call the hub strategy. And we were observing different cultures depending on the location. Even cities within the US—a California city is very different than a New Orleans, for example—and then global cities and cultures, of course. We were observing different behaviors of retention.
There were standard processes we had around extracurriculars, cafeterias, gyms and free food, game systems and ping pong tables and all the things you think about. We were really interrogating: Is that the concept? Is that what draws people and keeps people? And we were finding the uniqueness of the culture really influenced that quite a bit–what things really mattered—depending on where you were.
What I would add to that, in the fallout of the pandemic, is a personal story. I’ve always been very attached with folks on my team: spending discretionary time trying to get to know them, a lot of relationship management.In the past, it’s been my experience that was something that really helps drive bonds and influence retention. I’ve had a lot of movement of folks lately, through the pandemic, and I’d say I was surprised the weapon we have in relationship-building was really changing in this environment.

So I think it’s still a very fruitful topic. There are so many dynamics going on; it’s been an important thing for us to consider as we think about a mobile workforce and how to retain top talent.

“The weapon we have in relationship-building was really changing in this environment…”

Recent events certainly acted as a crucible for processes, but also for people. I’m going to ask about processes and structures in a minute, but as far as the people side: What surprised you or struck you? What did you draw out of leading people in and through the last 18 months?

Nate Arnold: We talk a lot about the productivity perspective; I think companies by and large are pleasantly surprised with the level of productivity. And then, we’ve been we’ve been dealing with that as almost a negative consequence—are people working too much? Are people not having that separation between work and personal life? We’ve seen burnout.

But one one thing that pleasantly surprised me, I think more than anything, was that even though we were remote there was a level of compassion and empathy, and relationship-building happening on a whole other level. There was a lot of understanding of people’s personal circumstances. We got to know people on calls a lot better because you were seeing their cats and dogs and kids, and laughing about it and accepting it. I found a rich relationship-building was happening with teams at the personal level.

“There was a level of compassion and empathy and relationship-building, a whole other level.”

When we went fully remote in the US, a lot of us kind of freaked out. My global teams reminded me they’ve been doing this the whole time; it wasn’t a big deal and we could still get a lot of work done virtually. That was a great observation.

As far as non-people elements during the transition to remote, what stood out to you as having its worth absolutely proved, or something you were relieved to already have in place or have done away with?

Nate Arnold: I would say compute power, remote testing, performance testing—the simple things you expect to be routine. When GE closed the books the second quarter of 2020, that was the first time we did so fully remote. Without armies of teams in an office with workstations and contract teams, all hands on deck making sure we’re processing hundreds of thousands of transactions and millions and millions of dollars—a very open failure mode pool. That preparation and having systems in place to handle it was a great advantage for us and made the transition pretty seamless.

Let’s address talent. How does drawing from a global pool inform acquisition, development and retention, as you’re compounding generational diversity with this other factor of real and even extreme geographical diversity?

Nate Arnold: Well, we’ve been talking a lot about core competencies. We’ve been talking about what we value the most and what we want to cultivate. We’re finding the importance of a career path is that much more important, as well as the need to get specific about the skill sets that matter to us. Now that leadership are differentiated the fight for talent globally is aggressive

I’d like to bring you back to something you said in your February 2020 interview with Jason Cenamor. I’ll give you the full quote for context:

“Sometimes the basics are what matter most. I myself have fallen into the trap of thinking a foosball table and free bananas means I’ll keep folks longer, but at the end of the day people want a sense of purpose, to feel valued in their work, to be respected. It’s easy to lose sight of that when we complicate factors around the generational considerations. There are important differences you should know, but good leadership is good leadership. If you care about your people and focus on things that matter, you have a better shot at retaining those folks.”

So to me this suggests a consistency of values or an underlying value system informing the tactics—treating the idea of leading across the generational divide, or leading virtually, or leading through a crisis, as informed by those values rather than as a grab bag of tips and tricks?

Nate Arnold: Yes. And I think there has to be consistency to it, right? One advantage of being with a company like GE is that we have decades of experience working globally within different cultures, and the leadership locally that involves themselves with those teams is critical.

Recently I was speaking with a young lady we have; she has a PhD and works outside the US. She has been very motivated within our team and very loyal to GE, even in the face of frequent external offers. So I was asking about that and really interrogating it. She said it came back to a couple core principles: the sense that there’s a genuine interest in her, that the leadership team cares about her, that there’s a focus on her development, and all of this consistently. And then there’s flexibility—an understanding of personal situations and allowing for a personal life. Those are three things that I meant [can get lost] by overcomplicating the thinking.

It’s easy to just step back and say there must be a fundamental problem, and there must be an easy fix here, and if I throw a pinball machine in the hallway that’s going to fix it. That’s just superficial. If you don’t have those core principles, and consistency, and some good training and leadership—even in your junior ranks, to model it—then that’s the problem.

I understand you particularly enjoy the informal elements of formal events, the opportunities to “catch people in the hallway,” and you encourage other folks to to really be proactive about that. So, especially as we’re thinking about generational culture, to what degree can that hallway interaction ever be authentically replicated virtually?
Or is that a fading paradigm in itself—do younger leaders already not see the same distinction, or not necessarily feel a loss there between virtual and in-person?

Nate Arnold: That’s a good question. There’s an informality and an “ad hoc-ness” to the water cooler or the hallway. I think it can be replicated, there just has to be a lot of intentionality. Because, what I’ve found is this: my schedule is a complete disaster now more than ever. We do a lot of lean at GE and I try to follow some sense of lean standard work, but [my schedule] is a nightmare—no consistency.  So how do you accommodate for those ad hoc sessions, because you do have to force it—I have to ping somebody and say Hey can you jump on video for a minute? But if you do allocate those times, I think that interaction is genuine.

And I think it can serve the same purpose, where someone feels really motivated. If it’s one-under-one, or one-under-one-under-one, I think those kinds of sessions are the things that motivate people. They realize the leadership team really does care what their opinion is and cares about what they think.

So it puts a little bit more on the leadership or the culture, to ensure you’re educating teams to be comfortable pinging folks. I consistently tell my teams: I hate email. Do not email. Do not email. Ping me, text me, message me—whatever. That’s a more personal interaction, it’s one-on-one, and I can quickly do it. I think the more we buy into messaging services and let email die, and focus on the threads of interactions and the one-on-ones, I think it’ll be there.

“The more we buy into messaging and let email die, and focus on threads and one-on-ones, I think [genuine interaction] will be there…”

But, you know, I still really value at least periodic time. I’ve told my software engineering team we’re going to get together for big room planning sessions in the agile process—we’re going to find a way, once it’s appropriate. We’re going to do that again, and at least have those interactions, and then we can lean into the other remote ones as best we can.

Hear more of Nate’s insights on “Leadership Within the Generational Divide” at SINC’s Southeast Forum, Sept. 19-21 in Miami.

Apply to Attend

Annie Liljegren:  Falcons or Saints?
Nate Arnold:  That’s a long story! But actually born in Cleveland so I’m a Browns fan.
AL: That’s unfortunate. I wanted to ask you about Taysom Hill…
Nate Arnold: Taysom Hill is a beast.
AL: And Matt Ryan coming back?
Nate Arnold: He hasn’t gotten over the hump in so many years, but at this point what do you have to lose? Go get something new and give it a shot.
AL: Indeed. We’re all set, Nate. Appreciate your time and we’ll see you at Southeast.
Nate Arnold: It was a pleasure—thank you.

Event Recap: Phoenix IT Leaders Dinner, July 21st 2021

dinner-phoenix reception

“Connecting Your Modern Workforce in a Hybrid Workplace”
Venue: Mastro’s City Hall

Earlier this month our CEO Ross Abbott announced SINC’s return to regular events, and last week that announcement was realized in the Phoenix IT Leaders Dinner: our first in-person event in over a year. 


We saw a full slate of attendees from our executive community as registration quickly reached capacity, and this eager response anticipates our return to in-person forums this fall. Rest assured, there is much more to come!


Our executives guests enjoyed a peer-led introduction to the specific topics attendees selected as most valuable, followed by group brainstorming and culminating in an open-forum discussion. As is often the case, the free and open dialogue continued as attendees sat down to the exceptional dining experience that is Mastro’s City Hall. Many thanks to RingCentral, Mastro’s, and our wonderful Arizona IT leaders for a successful event! 

SINC Executive Dinners are carefully curated to foster genuine connection by limiting the number of invitees and using a round or square seating layout to facilitate group conversation. Our guests consistently report how this unique event environment produces more valuable dialogue and more substantive networking. 

This week: New York City and Dallas.

Upcoming: Irvine, CA, Tampa Bay, Austin, TX, and many more.

endpoint, QR code security

Endpoint Example: QR Codes & Poor Security Habits

endpoint, QR code security

In the world of remote work, every employee is an endpoint—no less the employee’s devices. As the line between work and home has blurred, so too has the line between personal and professional devices: how many employees have separate phones, and (perhaps more importantly) to what degree are they handled with appropriate security awareness? 

Resembling a futuristic barcode, Quick Response (QR) codes have become commonplace; the geometric black-and-white squares appear everywhere from soda bottles to utility bills. Alongside the steep rise in QR code usage during the pandemic lockdown came an overall increase in cybercrime. According to Mastercard VP Sandeep Malhotra, 2020 saw a 49% increase in cybercrime, with 1 in 4 consumers experiencing some form of online fraud. One in four consumers, and what are consumers if not off-the-clock employees? The United States Army seemed to make this calculation in March 2021, issuing a special alert warning service members of the potential dangers of malicious QR codes. 

Although QR codes provide valuable functionality, continued lack of awareness regarding their full range of capabilities makes blind use a clear security concern. Each user in your network should be cognizant of the potential threat posed by malicious QR codes, a threat sufficiently prevalent to warrant the coining of yet another goofy techspeak verb: “Qshing.”

Proliferation leads to risk desensitization

The two main vulnerabilities of QR codes manifest in desensitization to the use of such codes and ignorance as to their full capabilities. While QR codes were already on the rise, their use proliferated as the pandemic spawned an enormous need for touchless transactions. These codes now appear in countless instances, many of which involve financial or personal information; they are used to view restaurant menus, submit mobile payments, participate in loyalty programs, make charitable donations, etc. A 2021 MobileIron/Ivanti report found 83% of respondents stated they had used a QR code to conduct a financial transaction within the past year. The end result of all this popularity? QR codes have become so ubiquitous we often don’t think twice about scanning them. 

QR codes are far more powerful than we think

Contributing to this blaise attitude is a widespread misunderstanding as to just how capable QR codes are. One of a QR code’s most basic functions is to open a link, but 53% of survey respondents didn’t even understand it can open a URL, and 63% were unaware that scanning a QR code can also download an app. To evaluate the distance between common misconception and full capability, you can test your own knowledge by identifying which of the following statements are true and which are false: 

Clicking on a QR code can: 

  • Create a new contact record
  • Create a new social media account
  • Allow sharing of the user’s location
  • Add a new Wi-Fi network set to automatically connect
  • Schedule a new calendar event
  • Create a new email, and fill in both the subject and recipient fields
  • Send a text message
  • Dial an outgoing call

If you answered “true” to all of the above, you would be correct––a QR code can execute any of the above actions. 

Malicious methodologies

There are two key methods of exploiting QR codes, malicious source and substitution, and understanding how each of these methods work is crucial to avoiding malicious codes. Malicious source methodology uses QR codes to usher the user to a false login page meant to steal credentials, or prompts the download of a malicious application. Substitution is a parasitic approach wherein a malicious QR code is inserted within or piggybacked onto a legitimate source, or even physically placed over the real QR code, such as on a physical flyer or restaurant signage. 

Best practices for using QR codes

Follow these best practices to avoid malicious QR codes: 

  • As a general rule, never scan codes sent via email.
  • Closely inspect physical QR codes. Do not scan if one code appears to be pasted atop another, or stuck onto a flyer rather than printed on it. 
  • Be very wary of any code that prompts the entering of a password or other credential. Be aware that some scams even place an App Store or Google Play logo alongside the malicious code to boost perception of its authenticity. 

Break bad habits and develop deliberate thinking

As with other cyber threats, malicious QR codes work by exploiting our established comfort level with the automation of common actions. The efficacy of such threats can be thwarted by awareness, mindfulness, and education: being fully versed in the threat capability, fostering a deliberate-choice mentality rather than thoughtless clicking, and staying abreast of new developments.