In the world of remote work, every employee is an endpoint—no less the employee’s devices. As the line between work and home has blurred, so too has the line between personal and professional devices: how many employees have separate phones, and (perhaps more importantly) to what degree are they handled with appropriate security awareness?
Resembling a futuristic barcode, Quick Response (QR) codes have become commonplace; the geometric black-and-white squares appear everywhere from soda bottles to utility bills. Alongside the steep rise in QR code usage during the pandemic lockdown came an overall increase in cybercrime. According to Mastercard VP Sandeep Malhotra, 2020 saw a 49% increase in cybercrime, with 1 in 4 consumers experiencing some form of online fraud. One in four consumers, and what are consumers if not off-the-clock employees? The United States Army seemed to make this calculation in March 2021, issuing a special alert warning service members of the potential dangers of malicious QR codes.
Although QR codes provide valuable functionality, continued lack of awareness regarding their full range of capabilities makes blind use a clear security concern. Each user in your network should be cognizant of the potential threat posed by malicious QR codes, a threat sufficiently prevalent to warrant the coining of yet another goofy techspeak verb: “Qshing.”
Proliferation leads to risk desensitization
The two main vulnerabilities of QR codes manifest in desensitization to the use of such codes and ignorance as to their full capabilities. While QR codes were already on the rise, their use proliferated as the pandemic spawned an enormous need for touchless transactions. These codes now appear in countless instances, many of which involve financial or personal information; they are used to view restaurant menus, submit mobile payments, participate in loyalty programs, make charitable donations, etc. A 2021 MobileIron/Ivanti report found 83% of respondents stated they had used a QR code to conduct a financial transaction within the past year. The end result of all this popularity? QR codes have become so ubiquitous we often don’t think twice about scanning them.
QR codes are far more powerful than we think
Contributing to this blaise attitude is a widespread misunderstanding as to just how capable QR codes are. One of a QR code’s most basic functions is to open a link, but 53% of survey respondents didn’t even understand it can open a URL, and 63% were unaware that scanning a QR code can also download an app. To evaluate the distance between common misconception and full capability, you can test your own knowledge by identifying which of the following statements are true and which are false:
Clicking on a QR code can:
- Create a new contact record
- Create a new social media account
- Allow sharing of the user’s location
- Add a new Wi-Fi network set to automatically connect
- Schedule a new calendar event
- Create a new email, and fill in both the subject and recipient fields
- Send a text message
- Dial an outgoing call
If you answered “true” to all of the above, you would be correct––a QR code can execute any of the above actions.
There are two key methods of exploiting QR codes, malicious source and substitution, and understanding how each of these methods work is crucial to avoiding malicious codes. Malicious source methodology uses QR codes to usher the user to a false login page meant to steal credentials, or prompts the download of a malicious application. Substitution is a parasitic approach wherein a malicious QR code is inserted within or piggybacked onto a legitimate source, or even physically placed over the real QR code, such as on a physical flyer or restaurant signage.
Best practices for using QR codes
Follow these best practices to avoid malicious QR codes:
- As a general rule, never scan codes sent via email.
- Closely inspect physical QR codes. Do not scan if one code appears to be pasted atop another, or stuck onto a flyer rather than printed on it.
- Be very wary of any code that prompts the entering of a password or other credential. Be aware that some scams even place an App Store or Google Play logo alongside the malicious code to boost perception of its authenticity.
Break bad habits and develop deliberate thinking
As with other cyber threats, malicious QR codes work by exploiting our established comfort level with the automation of common actions. The efficacy of such threats can be thwarted by awareness, mindfulness, and education: being fully versed in the threat capability, fostering a deliberate-choice mentality rather than thoughtless clicking, and staying abreast of new developments.