Everybody is excited about the QR Code. But be careful of the easy scanning process. 

Security Awareness
13 June 2022
Qishing

The QR code was an odd word and a somewhat incomprehensible pattern until a few years ago; today, it has become something everyone knows, and it now seems impossible to do without it. Some people even love to tattoo it on their skin to have it always with them.    

But what exactly is a QR code?

It’s a square, two-dimensional barcode, and its primary function is to store information and data. A single code can have up to 7,089 numeric characters and 4,296 alphanumeric characters.

QR stands for “Quick Response.” This is precisely because the code is known for the speed it provides information decoded by mobile devices. Therefore, to access any archive of information (which could simply be a restaurant’s menu), it is sufficient to frame the code with your cell phone camera, and, in no time at all, you will be directed to the desired page. 

It was invented in the early ’90s when an engineer from the Denso Wave company developed a method to keep track of vehicle components in the automotive industry during their assembly. He drew inspiration from the boards used in the traditional Chinese game Go, the same game used in the development of DeepMind’s (Google) AlphaGo artificial intelligence.   

It first became popular in Japan, where it was used mainly in newspaper and magazine ads and street billboards. In Europe and the United States, this kind of 2D technology spread only around the end of the year 2000 due to the expansion of the smartphone market. The latter is, in fact, the perfect tool to convey the intelligent information of QR codes.  

QR codes have become a commonly used tool that allows the transmission of information of any kind. Right up to the ultimate advancement of the Green Pass. A QR code capable of containing our health information and granting us access to various public and private services.

 

Quishing, the risks hidden in the QR Code

This tool, which like all technology, can facilitate everyday life and access to numerous services; however, it must be “handled” with care because it also presents dangerous scenarios.  

So much so that in a recent report, McAfee listed Quishing (“misuse and malicious use of QR codes”) as one of the five main threats for the years ahead.  The technique used goes something like this. Victims scan malicious QR codes and end up on fraudulent websites. You always have to provide some “essential” data such as username, password, and payment information to gain access. It is needless to say that obviously, all this information ends up in the hands of cybercriminals. In some other cases, just scanning the QR code is enough to download malware to your device.  

The issue has become more and more worrisome, so much so that last January, the FBI, issued a warning recommending Americans to be very careful with this type of attack. In particular, pay attention to QR codes used as a payment method. The FBI has made it known that criminals can steal money from unsuspecting victims simply by redirecting payments to malicious sites.  

The warning came just after the Massachusetts State Police made it public that some QR codes used on parking meters connected users to fraudulent payment sites. Instead of paying for parking, the victim sent payment information to the scammers.  

.What can you do to protect yourself from Quishing?  

Knowing that on the web, it is human error that opens the doors to criminals when we are dealing, as in this case, with new and widespread technology, we must hone the antennas of attentiveness and awareness. The fact that the majority of users are uninformed about the obscure aspects of the use of QR codes, in fact, readily offers the possibility to hackers who are always looking for new ways to access their favorite crime.

In general, therefore, any QR code should be considered suspicious, and before scanning it, you should make sure of its credibility.    

In their warning, the FBI lists a series of precautions to avoid unpleasant surprises. Good habits to follow such as: 

     

      • After scanning a QR code, check the URL to make sure it is the intended site and that it appears authentic. A fraudulent domain name may appear similar to the authentic one but with some typos or misplaced letters.  

      • Before submitting sensitive personal or financial data to a site, always be very careful. But be even more cautious if you have used a QR code to access the site.  

      • Before scanning a QR code, make sure that the code has not been tampered with, such as a sticker placed over the original code. 

      • Avoid downloading apps from a QR code. For a more secure download, use the official APP Stores.  

      •  Be wary if someone asks you to make a payment using a QR code. Especially if the purchase was completed recently and the payment was not successful. In these cases, contact directly, using only authorized methods, the company requesting the payment to ask for clarification.   

      • Remember that it is not necessary to download any APP to scan QR codes. Most cell phones have a scanner integrated into the camera, reducing the risks of downloading malicious APPs to your device.  

      •  Even when a QR code appears to be from a reputable source, always verify its actual origin before using it.

    Education and training to avoid unwitting scans.

    Given that Quishing represents one of the top cyber risks today, it is clear that this must be included in corporate Cyber Security Awareness training programs without a shadow of a doubt. Effective training on the risks of using these tools can ensure that all employees, especially those who also use company devices for personal use, are well-trained, aware, and think twice before clicking or scanning QR codes. 

    Related Articles