QR codes were once a quirky novelty that prompted a fun scan with the phone. Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more about the eating habits of the woolly mammoth or military strategies of Genghis Khan. During the pandemic, QR codes became the default restaurant menu. However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity.
“As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they’re simultaneously useful and dangerous,” said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.
Brewer says that attackers exploit these seemingly harmless symbols to trick people into visiting malicious websites or unknowingly share private information, a scam that has become known as “quishing.”
The increasing prevalence of QR code scams prompted a warning from the Federal Trade Commission earlier this year about unwanted or unexpected packages showing up with a QR code that when scanned “could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.”
State and local advisories this summer have reached across the U.S., with the New York Department of Transportation and Hawaii Electric warning customers about avoiding QR code scams.
The appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest.
“The crooks are relying on you being in a hurry and you needing to do something,” said Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester.
On the rise as traditional phishing fails
Sharma expects QR scams to increase as the use of QR codes spreads. Another reason QR codes have increased in popularity with scammers is that more safeguards have been put into place to tamp down on traditional email phishing campaigns. A study this year from cybersecurity platform KeepNet Labs found that 26 percent of all malicious links are now sent via QR code. According to cybersecurity company, NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites.
“The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,” Sharma said.
Sharma is working to develop a “smart” QR code called a SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams. But first, he needs buy-in from Google and Microsoft, the companies that build the cameras and control the camera infrastructure. Companies putting their logos into QR codes isn’t a fix because it can cause a false sense of security, and that criminals can usually simply copy the logos, he said.
Some Americans are wary of the increasing reliance on QR codes.
“I’m in my 60s and don’t like using QR codes,” said Denise Joyal of Cedar Rapids, Iowa. “I definitely worry about security issues. I really don’t like it when one is forced to use a QR code to participate in a promotion with no other way to connect. I don’t use them for entertainment-type information.”
Institutions are also trying to fortify their QR codes against intrusion.
Natalie Piggush, spokeswoman for the Children’s Museum of Indianapolis, which welcomes over one million visitors a year, said their IT staff began upgrading their QR codes a couple of years ago to protect against what has become an increasingly significant threat.
“At the museum, we use stylized QR codes with our logo and colors as opposed to the standard monochrome codes. We also detail what users can expect to see when scanning one of our QR codes, and we regularly inspect our existing QR codes for tampering or for out-of-place codes,” Piggush said.
Museums are usually less vulnerable than places like train stations or parking lots because scammers are looking to collect cash from people expecting to pay for something. A patron at a museum is less likely to expect to pay, although Sharma said even in those settings, fake QR codes can be deployed to install malware on someone’s phone.
Apple, Android user trust is an issue
QR code scams are likely to hit both Apple and Android devices, but iPhone users may be slightly more likely to fall victim to the crime, according to a study completed earlier this year by Malwarebytes. Users of iPhones expressed more trust in their devices than Android owners and that, researchers say, could cause them to let down their guard. For example, 70% of iPhone users have scanned a QR code to begin or complete a purchase versus 63% of Android users who have done the same.
Malwarebytes researcher David Ruiz wrote that trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know about) using additional cybersecurity measures, like antivirus. Fifty-five percent of iPhone users trust their device to keep them safe, versus 50 percent of Android users expressing the same sentiment.
Low investment, high return hacking tactic
A QR code is more dangerous than a traditional phishing email because users typically can’t read or verify the encoded web address. Even though QR codes normally include human-readable text, attackers can modify this text to deceive users into trusting the link and the website it directs to. The best defense against them is to not scan unwanted or unexpected QR codes and look for ones that display the URL address when you scan it.
Brewer says cybercriminals have also been leveraging QR codes to infiltrate critical networks.
“There are also credible reports that nation-state intelligence agencies have used QR codes to compromise messaging accounts of military personnel, sometimes using software like Signal that is also open to consumers,” Brewer said. Nation-state attackers have even used QR codes to distribute remote access trojans (RATs) — a type of malware designed to operate without a device owner’s consent or knowledge — enabling hackers to gain full access to targeted devices and networks.
Still, one of the most dangerous aspects of QR codes is how they are part of the fabric of everyday life, a cyberthreat hiding in plain sight.
“What’s especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised. Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception,” Brewer said.
Rob Lee, chief of research, AI, and emerging threats at the cybersecurity training focused SANS Institute, says that QR code compromise is just another tactic in a long line of similar strategies in the cybercriminal playbook.
“QR codes weren’t built with security in mind, they were built to make life easier, which also makes them perfect for scammers,” Lee said. “We’ve seen this playbook before with phishing emails; now it just comes with a smiley pixelated square. It’s not panic-worthy yet, but it’s exactly the kind of low-effort, high-return tactic attackers love to scale.”
