A Close Look at QR Codes – How Safe are They?
QR (Quick Response) codes have been around since the 1990s. They were widely used in the UK during the pandemic lockdowns for various purposes such as ordering food. Although perhaps not as popular today as they were in the past, QR codes are still widely used by many companies. It is an easy way to direct people to websites and to order or pay for goods and services.
A QR code can be easily read by a digital device, storing information as a series of pixels in a square-shaped grid. Because many smartphones have built-in QR readers they are often used in marketing and advertising campaigns.
The question remains: Are they safe? Should businesses take advantage of the benefits of using QR codes or steer clear because of possible safety threats?
QR codes in phishing emails
Although QR-enabled fraud or scams via QR codes displayed in public areas such as train stations are generally not that common, QR codes are increasingly being used in phishing emails. This tactic bypasses user suspicion towards suspicious links and short URLs.
Cyber criminals are increasingly making use of QR codes in this way, and from their perspective, it makes sense for various reasons.
Phishing emails traditionally rely on users clicking malicious links embedded within the message.
However, with increased awareness of phishing tactics, users are more cautious about clicking suspicious links.Criminals are therefore using QR codes to disguise the links to malicious websites that phishing emails contain.
A phishing email might appear legitimate, mimicking a well-known brand like a bank or social media platform. The email might claim urgent action is needed and include a QR code instead of a direct link. This creates a sense of urgency and encourages the user to scan the code quickly, potentiallybypassing their usual caution.
Not all security tools designed to detect phishing emails will scan images, so a QR code directing the user to a malicious website may easily slip through.
Users are more likely to use their personal phone to scan the QR code. Personal devices may not have the same security protections as a computer provided by a business, increasing vulnerability.
