Building upshot

About us

Latest Insurance News

21.02.24

QR Codes  – Understanding the Cyber-security Risks

Cyber-risk and liabilities update

Quick response (QR) codes are a popular marketing, sales, payment and customer service tool for several businesses. However, as QR codes have become more prevalent, mali­cious actors have found ways to use them in phishing at­tacks and to spread malware.

These vulnerabilities can lead to significant financial and reputational damage, so it is essential for organisations to be aware of and mitigate these risks. This article provides more information on Quick Response codes and their risks and offers tips on addressing the hazards they present.

Understanding QR Codes

QR codes are a series of pixels arranged to form a large square that contains a long string of data. They function similarly to a barcode. They can be scanned by code readers or smartphones and often contain URLs so individuals can access websites without having to type in a specific web address. Once scanned, Quick Response codes allow a quick and convenient way for clients to access a business’s information or leave a review. They can also be used to prompt users to take certain actions, such as making a payment or downloading an app.

QR codes can be placed on various items such as posters, leaflets, menus or billboards. They can also be included as images in digital communications sent through email or messaging apps.

The Risks of Quick Response Codes

Although they can be a useful tool, the nature of QR codes allows them to be exploited by cyber-criminals. Since legiti­mate Quick Response codes appear as a random scramble of pixels with­in a larger square, it can be difficult for users to differentiate between the safe and malicious ones. Additionally, QR codes may be standalone images, so they may not be accompa­nied by tell tale signs of malicious activity, as is often the case with fraudulent emails (e.g. misspellings, suspicious links). Organisations encounter risks from QR codes in a couple of ways: They are exposed to cyber-securi­ty threats if an employee scans a malicious QR code, and if a compa­ny utilises QR codes for business purposes, their legitimate codes can be manipulated by cyber-criminals, potentially impacting their custom­ers and their business’s reputation.

Examples of how cyber-criminals can exploit Quick Response codes include:

  • Replacing or tampering with QR codes
  • Mali­cious actors may place their counterfeit QR code over a legitimate one or alter a legitimate one.
  • Placing QR codes in high-traffic areas or in strategic locations—Cy­ber-criminals may place QR codes in high-traffic areas or near places where they might seem connected to a location or object (e.g. on a parking meter). Curi­ous passers by or those thinking the QR codes serve a function (e.g. paying for parking) may then scan the malicious code.
  • Sending fraudulent QR codes in an email or through an app—Malicious actors may include a QR code in digital communication with language accom­panying it to make the code seem legitimate.

Once the fraudulent QR code is scanned, a user may be vulnerable to various security issues, including:

  • Quishing—This is a form of phishing where the cyber-criminal seeks to steal an individual’s credentials, passwords or other personal data after a user accesses the website through the malicious QR code. The cyber-criminal may use social engineering techniques in order to trick a user into thinking the website is legitimate and, therefore, safe to enter their sensitive information.
  • QRLjacking—This involves a cyber-criminal spreading malware to an individual’s devices after a fraudulent QR code directs the user to a malicious URL.
  • Device hacking—Under certain circumstances, a malicious actor may be able to access a user’s device if they scan a fraudulent QR code. The hacker then may be able to place a call, send a text or make a payment from the compromised device.

Mitigating the Risks of QR Codes

As cyber-criminals increase their use of Quick Response codes, it is essential for organisations to mitigate the risks associated with them. Strategies include the following:

  • Provide continuous education to em­ployees on the latest cyber-threats and dangers connected to Quick Response codes.
  • Carefully examine QR codes to ensure they were not tampered with or altered before scanning them.
  • Be cautious when scanning QR codes and double-checking the web address of the site they direct users to.
  • Install security software with content filtering that inspects links and attach­ments and blocks access to suspicious items.
  • Maintain strict access controls to limit damage from malicious actors if they obtain login credentials.
  • Utilise multifactor authentication sys­tems to add a layer of protection to business systems in case employee passwords or credentials have been compromised.
  • Advise employees not to scan Quick Response codes if they are unsure of their origin.
  • Keep all devices updated and patched.
  • Disable automatic Quick Response code scanning on devices.
  • Review default settings and permis­sions regarding the sharing of sensitive information.
  • Train employees on how to safely use their technology in a bring-your-own-de­vice environment.
  • Reduce the use of QR codes in electronic business communications to disincentiv­ise cyber-criminals from using them to target customers.

Organisations wishing to use QR codes can also take steps to protect their customers. Techniques to consider include:

  • Using a reputable QR code generator
  • Customising the QR code to include the company’s branding
  • Testing the QR code before distributing it
  • Ensuring the linked website is strongly encrypted and has visible indications of SSL protection

Conclusion

QR codes provide a useful function, but they can also serve as an entry point for malicious individuals to steal credentials, insert harmful software, and compromise the security of an organisation and its customers. This can lead to significant financial losses and reputational damage. By implementing risk reduction strategies, companies can protect their business, employees and clients. Contact us today for information relating to insurance to guard against the risk of cyber-crime.

Information provided by Zywave and contributed by Lisa Langley, Cert CII, Team Leader, Professional Risks, Cox Mahon Ltd.

This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.