Home News Think Before You Scan! Malicious QR Codes in the Wild

Think Before You Scan! Malicious QR Codes in the Wild

Cybercriminals are exploiting the heightened use of QR code payments by embedding malicious QR codes in the consumer market.

Crypto ATMs and QR Codes

Since the outbreak of the COVID-19 pandemic, people across the globe have encountered dramatic changes in their daily lives. From the way we used to communicate to the way we worked, the pandemic has affected every facet of our daily routine. In particular, the ongoing crisis encouraged people to make contactless transactions through Quick-Response (QR) codes. However, the swift adaption of digital payments has increased the risks more than ever. Most people are turning to QR transactions unaware of the threats posed to them.

What is a QR Code?

A QR code is a type of barcode that allows a user to access information instantly by a digital device.  QR codes store data as a series of pixels in a square-shaped grid and are mostly used to track details of a particular product in a supply chain.

QR Code Abuse

Since QR codes have made mobile payments efficient, threat actors find them easy to abuse. This is called ‘Qshing.’

According to a recent survey from cybersecurity firm Ivanti,  consumer-based QR codes pose severe security threats to corporate systems and data. The survey conducted on 4,100 consumers across the U.S., U.K., France, Germany, China, and Japan revealed that the heightened need for contactless transactions has increased the use of QR codes. Nearly 57% of respondents claimed an increase in QR code use since March of 2020, and 83% of survey respondents said they’ve used QR codes for the first time to make payments in the last year.

Ivanti revealed that the proliferation of QR codes is leveraged to infiltrate mobile devices and steal sensitive financial data.

Malicious QR Codes in the Wild

Cybercriminals often follow trends. Several QR code payment frauds have been reported as consumers are making more digital payments than ever. Threat actors embed malicious URLs containing malware into a QR code to exfiltrate data from the user’s device when scanned. At times, they also embed malware in a QR code that redirects the victim to a phishing page asking to enter sensitive information. 

Threats from Malicious QR Codes

  • The malicious QR codes can add unknown/suspicious contacts to the mobile contact list.
  • They can connect the victim’s device to a malicious network.
  • The malware embedded in the QR code can automatically initiate phone calls, draft emails, and send text messages.
  • It can reveal the user’s location.
  • Automatic fraudulent payments are initiated.

Things to Remember

Don’t initiate the payment, if you get a notification to put any sensitive information when you scan a QR code.

  • Avoid scanning random QR codes from suspicious or unknown sources.
  • Don’t scan QR codes received via emails.
  • Make sure the QR is original and not pasted over with another one.
  • Use QR scanner software to view the URL before clicking on it.

Guidelines from a Banker

Recently, India’s largest bank, the State Bank of India (SBI), issued an alert relating to QR code scans. Posting a tweet and awareness video on QR payments frauds, the banker warned people to be vigilant while scanning QR codes shared by anyone unless the objective is to pay.

“You don’t receive money when you scan the QR code. All you get is a message that your bank account is debited for an ‘X’ amount. Do not scan QR codes shared by anyone unless the objective is to pay. Stay alert. Stay safe,” the SBI said.

Good cyber hygiene, awareness of mobile threats, and security can help in mitigating the rising threat from malicious QR codes.