QR + Phishing = The evolution of silent threats

QR Phishing

The need to simplify processes, coupled with the post-pandemic consequences of zero contact, has led to the evolution of increasingly common silent threats. One of these is "phishing" via QR codes (QR Phishing), which involves the theft of sensitive information through scanning.

A QR code is an advanced version of barcodes, but in square form, which includes content hosted on the Internet. It is accessed through the camera of the mobile device or a scanning application, which then directs the user to the encoded link.

After the pandemic, scanning these codes became very popular for reading restaurant menus, accessing information or applications, downloading documentation, and making payments without human contact. Likewise, some documents such as invoices, medical receipts, certificates, or event tickets often have a QR code inserted, with the aim of facilitating the verification of information.

In addition to its recent popularity for sharing social media profiles such as Instagram, LinkedIn, Telegram, and WhatsApp, it has also been implemented in various advertising campaigns to simplify the information contained therein. 

This attack exploits users' trust when scanning these codes to distribute malicious URLs or programs through them. They usually request sensitive information for malicious purposes such as identity theft, data hijacking, bank account theft, or to execute malicious software that compromises the reputation and information of both corporate and individual users.

Cyber attackers take advantage of the trust people have placed in QR code scanning to secretly intercept their privacy.

Therefore, to protect yourself against this type of attack as an end user of mobile devices, we recommend the following: 

  1. Disable the function of automatically opening links when scanning QR codes
  2. Use scanning applications that allow you to view the URLs to which the code redirects before opening it.
  3. Avoid scanning codes from unknown sources.
  4. If you use codes to make payments or bank transactions, ensure that the operation has been completed correctly. 
  5. If the QR code is physical, verify that it has not been altered with stickers or other elements. 
  6. If you have a business, constantly check that your codes have not been modified.
  7. Keep your device and applications up to date.
  8. Check the context before providing personal information. 

However, this problem not only poses a great risk to these users, but also directly compromises the marketing departments of organizations. Given the ease of access that these codes provide for the execution of both physical and virtual advertising campaigns today, their implementation could carry risks for both the organization and its end customers.

In order to strengthen data protection and prevent the possible overlaying of QR codes for undesirable purposes, it is essential to: 

  1. Verify the source of the QR code before including it in the graphic elements of advertising campaigns. 
  2. Educate your audience by including clear and concise instructions for scanning the codes. 
  3. Monitor the performance of your QR codes and update the content as needed. 
  4. Implement additional security measures, such as 2FA authentication or dynamic codes that change over time. 
  5. Includes information about QR code security. 

Cybercrime evolves at the same pace as technology advances, and while the use of these codes has streamlined a variety of processes, they have also become attractive to cybercriminals for carrying out their malicious activities more discreetly.

Therefore, it is essential that end users of mobile devices and organizations remain informed and vigilant in the face of this type of problem, in order to ensure the protection of sensitive corporate and personal information. 

Because remember, cybersecurity begins the moment you turn on your mobile device.