12 Apr 2022
QR codes (short for Quick Response codes) are a technology that we have become accustomed to in our day to day lives - back from checking into places when there were NHS track and trace restrictions in place, to looking at menus, ordering and paying for food and drinks at restaurants. They are used by advertisers too, as they are quick and easy way for people to find information as opposed to looking up a specific website page. Coinbase, a cryptocurrency exchange platform based in America, aired an advert during this year’s Superbowl which led to over twenty million hits on their page in under a minute.
Unfortunately, because of the resurgence in their popularity, QR codes are seeing increased usage as a form of phishing. Cybercriminals have noted the popularity and comfort surrounding QR codes and taken advantage of this. For example, recently there have been cases of criminals printing fake QR codes and sticking them near parking meters, so that unsuspecting drivers will scan them and give their bank details while attempting to pay for parking.
The most common danger to users lies when you give away bank details or other important information to the website that the malicious QR code has directed you to. Many people will believe that the websites are legitimate without checking, as QR are very commonly used to direct people to make payments or fill in forms and could potentially send information or even payments to malicious parties. On top of this, it’s also possible to generate QR codes that point users to URLs that will distribute malware, add fraudulent contacts in your phonebook, or point you to malicious websites.
When compared to hyperlinks, QR codes are less likely to be detected as malicious by automated systems - because of this, they’re often used as an attempt to fly under the radar. It’s particularly important for users to stay alert when interacting with them and try to ensure that any malicious activity is prevented.
Tips to stay safe
- Treat QR codes as if they were any other website link
- Take a close look at the website that the QR code has redirected you to
- Use a central password manager (see LSE recommendations) to autofill passwords. If the website is fake, then it will be able to identify this.
- As a rule of thumb, ignore QR codes in unexpected emails.