Are QR codes safe? Precautions and security measures.
Because of coronavirus pandemic, many businesses attempted to create a contactless experience, choosing solutions like QR codes. We see a lot of restaurants using them to display their menus on smartphones and on receipts, for a contactless payment option.
For popular apps like Snapchat and WhatsApp, QR codes are an integral part of the user experience. Users can use the codes to log into their account, exchange contact information, or make money transfers. In countries like China, QR codes have become part of the way of life, thanks to apps like WeChat.
Of course, this technology carries risks. Indeed, QR codes make it easy for scammers to send you phishing links. For starters, there’s no way to know where the code will take you until you scan it. This means that when an employee gets phished on their personal time, for example while going to a restaurant, it will not only affect them personally, but could also compromise their company’s infrastructure.
What is a QR code?
The QR code (Quick Response code) is this small square we already see on posters, on flyers, on the front of a shop, in a restaurant or even on train or plane tickets.
With a smartphone, all you have to do is place the lens of your device towards the QR code to see a URL (web address) displayed, inviting you to validate and directly open a web page.
It is a practical tool that makes life easier and avoids typing long addresses. But it can also lead to a cyberthreat, with attacks targeted towards owners of smartphones who are not careful, including professionals who use it to access Internet pages (restaurant menus, direct access to their website, information on products, etc.).
What possible attacks with QR codes?
QR codes can point to malicious URLs (addresses of sites, pages, executable software) in an attempt to access data from a smartphone or tablet. It can also involve cyberattacks aimed at opening a phishing site (phishing), a fraudulent technique intended to deceive the Internet user to encourage him to communicate personal data (access accounts, passwords, etc.) and/or banks by posing as a trusted third party. This is called QRishing. It can also lead to a short URL (URL shortener) which then redirects to the malicious URL.
Other possible malicious actions from a QR code:
- retrieve a list of contacts from your device in order to send them messages by email or phone;
- initiate phone calls to premium rate numbers;
- send malicious SMS;
- make mobile payments.
Precautions and security measures to take when using QR codes
Here are some rules to follow to protect yourself from fake QR codes:
- Before scanning a QR code, make sure it does not hide another code;
- If in doubt about a QR code, do not scan it;
- Check the URL displayed by the notification before clicking on the redirect. If it looks strange or it is very short, exit notification;
- The QR code must lead you to the desired information, if this is not the case, close the page and erase the history of your browser;
- If the QR code leads to an application from the AppStore or Google Play, make sure that the company mentioned on this page has indeed developed the requested application;
- Do not install security applications from a scanned link of a QR code because it is often malicious software (malware);
- Be wary of QR codes distributed on cards, mentioned on posters at events, or placed in public places;
- For professional smartphones, do not set up the automatic installation of applications;
- Use multi-factor authentication for enterprise applications;
- Professionals: it is strongly recommended to adopt a defense solution against mobile threats.
Attackers are constantly using new phishing methods, such as QR codes, to trick users into giving up their information. While training is effective in prevention, a well-placed attack can catch even the best-trained professionals off guard.
More than ever, we all need a way to discern trustworthy sources from those who seek to steal our information. In short, have security measures able to manage phishing, whatever it’s type.