QR codes are a rather dated technology (for the record, they were invented in Japan in 1994 by the Denso Wave company, a subsidiary of Toyota, to track car parts), but they are still widely used today in various fields. Including that of cybercrime. A QR code in itself is neither safe nor dangerous: it is simply a “graphic link” that refers to an action. It can open a legitimate site, let us access a Wi-Fi network or show us a menu, but it can also direct us to a malicious web page, built to steal data or trick us into carrying out operations that we would not knowingly do. In this in-depth analysis we therefore try to clarify why QR codes can be dangerous, becoming a vector of possible cyber risks in specific contexts, what the most realistic scenarios of abuse are and how we can protect ourselves with common sense, without falling into the trap of distrust or, even worse, that of paranoia.
Because QR codes can be dangerous
Even though QR codes have existed since the 1990s, their use was accelerated by the unforgettable COVID-19 pandemic, a period in which having quick solutions that allowed contactless access to various services was necessary. Since 2020, the use of QR codes has grown and we now find them practically everywhere: on screens, posters, products, tickets and devices without a keyboard, such as smart TVs. Technically, a QR code is a two-dimensional code that contains data that can be read by a camera: that data can represent a web address, text, and so on. No complex infrastructure is required and anyone can generate one in a few seconds by taking advantage of an infinite number of online services and applications useful for this purpose. And it is precisely this popularity and ease of generating them that also makes them interesting for cyber criminals.
There are documented cases of QR code-based scams, but their impact is still relatively limited compared to other cyber scams. The most common episodes occur in open places such as stations or car parks (where they could be found on parking meters or in the form of fake fines on car windshields, where a code can be replaced with a fraudulent sticker. In other cases, scammers could even send paper letters home containing fraudulent QRs (as happened in Switzerland some time ago). Often, scanning the QR code is not enough to cause the damage: social engineering also comes into play, i.e. the set of techniques that exploit trust and reactions emotions of people, exploited by cybercriminals to induce their victims to perform dangerous actions (such as filling out forms, providing payment information, and the like).
Not surprisingly, as the NCSC points out (National Cyber Security Center) the QR codes «are increasingly used in phishing emails» carrying out a practice called quishing, a fusion between “QR” and “phishing”. Phishing, for the record, is a technique that aims to trick the victim into providing personal information by pretending to be official communications. Inserting a QR code in a message has several advantages for the attacker: if a user can be wary of a suspicious link, an image containing a QR code could be interpreted as absolutely harmless and, consequently, he could scan the code without too many problems. The scam would then find its effective completion in the event that the user carries out the actions intended by the cyber criminal who set the trap. For example, downloading applications that actually hide malware, filling out online forms designed to perpetrate identity theft or bank fraud, etc.
How to protect yourself from malicious QR codes
To protect yourself from malicious QR codes, it is important to pay attention to the place (physical or digital) where you go to scan the codes in question. Pay attention to these examples.
- Restaurants, pubs, bars, and similar: in places like these the risk is generally low, given that QR codes are usually used by the managers of these establishments to download the menu, price list, etc.
- Car parks, stations, public toilets, etc.: in unmanned spaces like these, the risk of coming across malicious QR codes is decidedly higher. Here you should keep your alert threshold higher.
- Emails, direct messages and various online communications: given the increase in cases of quishing via email, even in this case you need to pay the utmost attention to suspicious messages that invite you to scan a QR code.
As we have already explained to you, scanning a QR code in itself should not involve major risks; the problem arises later, when potentially dangerous actions are performed on the web page that opens once the two-dimensional code has been scanned. In this case, it is good to keep in mind not to provide personal information (such as payment information) and not to download apps of any kind (except through the official store of your device). Another “bonus” tip provided by National Cyber Security Center of the United Kingdom, it is better to use the scanner installed “as standard” on the smartphone rather than third-party apps.
