The Hidden Dangers of QR Code Phishing: A Guide for Businesses

Tuesday, October 10th, 2023

Today, QR codes are increasingly used by businesses for their convenience and versatility. However, this has also created a new avenue for cybercriminals to exploit: QR code phishing. In this blog, we’ll explain what QR code phishing is, why your business should care about it, and offer some practical tips on how to protect your organisation from attack.

What is QR Code Phishing?

QR code phishing, also known as QRishing, is a type of cyber-attack where fraudsters trick victims into scanning malicious QR codes. These codes can lead to phishing websites that steal sensitive information or download malware onto the victim’s device.

Why should businesses care?

Cybersecurity is no longer just an IT issue; it’s a business issue. A successful QRishing attack can lead to data breaches, financial loss, and damage to your business’s reputation. Moreover, the risk has never been greater with the rise of remote work and mobile device usage.

How does QRishing work?

Imagine this scenario: Your employee receives a seemingly harmless promotional email with a QR code offering a discount. They scan the code, which directs them to a login page identical to your company’s portal. Without suspecting anything, they enter their credentials, unknowingly handing them over to cybercriminals.

Five common QRishing scams

It’s crucial to be aware of the various types of QR code phishing, as it can have serious consequences. Below are five kinds of QR code scams to look out for:

  1. Fake coupons: Some individuals create QR codes that resemble coupons or discounts for popular products or services. However, these codes actually lead to phishing sites that request your credit card details or other sensitive information.
  2. Fake Wi-Fi: QR codes resembling free Wi-Fi networks are created by hackers. These codes connect your device to a rogue network that can monitor your online activity, steal your passwords, or infect devices with malware.
  3. Fake surveys: Some scammers create QR codes that appear to be surveys or feedback forms. However, these codes gather your personal information, such as your name, email, phone number, or location, and sell it to third parties or use it for identity theft.
  4. Fake invoices: Some cybercriminals create QR codes that resemble invoices or payment requests. These codes charge your account with unauthorised transactions or redirect you to fake payment platforms that can steal your financial information.
  5. Fake parking meter codes: QR codes are placed on parking meters and claim to offer a convenient way to pay for parking. However, they take you to a fraudulent website that collects your credit card information.

Some real-world examples of QR code scams

In China, scammers placed fake parking tickets on illegally parked cars. The tickets contained a QR code and instructions to use the code to pay via a mobile payment app. However, the QR code redirected the victims to a phishing website that asked for their credit card details.

In the UK, cybercriminals sent emails to customers of parcel delivery companies, claiming that they needed to pay a small fee to receive their packages. The emails contained a QR code that supposedly linked to the payment page. However, the QR code led the victims to a fake website that harvested their personal and financial information.

Across the globe, attackers have sent emails to employees of organisations, pretending to be from their IT department or security team. The emails contained a QR code and asked the recipients to scan it as part of a multi-factor authentication process. However, the QR code directed the victims to a phishing site that stole their login credentials.

How can businesses protect themselves?

Here are some practical steps your business can take to protect itself from QRishing attacks:

  • Educate your employees. Awareness is the first line of defence. Conduct regular training sessions on cybersecurity threats, including QRishing. Teach employees to verify the source of any QR code before scanning it.
  • Use secure QR codes. Consider using dynamic QR codes that contain a short URL. This allows users to see where the code will take them before they scan it.
  • Implement two-factor authentication (2FA). 2FA adds an extra layer of security by requiring users to verify their identity using a second method, such as a text message or fingerprint, in addition to their password.
  • Regularly update and patch systems. Cybercriminals often exploit vulnerabilities in outdated software. Ensure all systems and applications are up-to-date with the latest patches.
  • Invest in cybersecurity tools. Use security software that can detect phishing attempts and malicious websites.

Additional tips for everyone:

  • Only scan QR codes from trusted sources, such as the company’s website or official social media pages.
  • Be wary of QR codes that promise discounts or other freebies. These are often used to lure people into scanning malicious codes.
  • If possible, use a QR code scanner app that can detect malicious codes.
  • Never enter personal information, such as passwords or credit card numbers, after scanning a QR code.

QRishing is a serious threat to businesses of all sizes. By following the tips above, businesses can help protect themselves from this type of attack. However, it is important to note that cybersecurity is a complex and ever-evolving field. It is important to have a comprehensive cybersecurity strategy in place, and to regularly review and update this strategy.

If you are unsure how to protect your business from QRishing or other cybersecurity threats, contact Modern Networks today. We have the expertise to assess your business’s cybersecurity risks and develop a customised plan to mitigate those risks.

References

 

 

Share this page