QR codes have been around for a long time. But with everyone trying to limit contact, today they're nearly everywhere – and that's leading to a rise in fraud and risk.
I had an "ah-ha" moment about the explosion of QR codes the other day when I took my family on our annual 'pay money to wander and get lost in a corn maze for hours adventure'. It all started when a friend shared a QR coupon code for my favorite corn maze with me via social media. Knowing the maze is limiting the number of people and time slots this year, I quickly scanned the code and purchased my tickets, which were then sent to me in the form of a yet another QR code ticket.
Upon arriving at the maze, I presented my QR code tickets to the staff, who pointed me to a kiosk with another QR code to scan to activate the maze's scavenger hunt map. The map contained hints to even more QR clue boards that had been carefully placed through the maze. If you found them and finished with the fastest time you would win a prize - game on! We adjusted our face masks for optional aerodynamics and started our quest to find the first QR clue board. After wandering aimlessly and debating if you should always go right or left to navigate the maze, we eventually found all the QR code clues, but apparently didn't set any prize-winning time records.
Exhausted, defeated and questioning why we pay money to torture ourselves each year, we headed to lunch. In the spirt of contactless and paperless everything, the restaurant placed a QR code on each table to scan for the menu and to order our meal.
This day made me realize how QR codes have rapidly become mainstream. And, like any technology that's gaining traction, its growth is leading to a rapid rise in QR code fraud. Cybercriminals will always look for new ways to make money by manipulating the unfamiliarity of new services, technology and processes – and QR codes are no different. Many organizations introduced QR codes as a convenient way to promote contactless technology; however, they haven't trained users on how to properly use or spot a fraudulent one.
A perfect example of this is how cybercriminals are embedding QR codes into a phishing email, online, or via social media. These 'promotions' have emerged as a new favorite attack method. Often when you scan these fraudulent QRs, they take you to a fake website that asks you to provide login, payment or other personal info, or tricks you into downloading a malicious program onto your mobile device.
We all need to consider how to effectively manage these new digital risks, both in our personal and professional lives to help mitigate emerging threats while maximizing the opportunities that come with adopting disruptive digital technologies and new operating models.
Here are a couple of tips to help prepare yourself and your organization for this new type of fraud:
- After you scan a QR, a window to view its embedded URL should appear. If you don't see a URL, or if it looks like a shortened URL (like a bit.ly) – then beware. You may want to consider using a secure QR code scanner app that will check the website for you
- If you're using one device for both work and personal reasons, remember that the risks of scanning an unknown QR are similar to clicking on links in text messages that you weren't expecting – the only difference is that you've likely only been trained for the risks associated with texts
- If your organization is using QR codes for promotions, payments, or to access online services, you should consider aligning them with some type of Multi Factor Authentication method to mitigate against account takeover
Organizations should also monitor cybercrime forums for a new type of phishing attack where fraudsters could alter your domain name with a different or fictitious extension (for instance, swapping '.com' to '.org') – those switches can be very hard to spot and can still appear legitimate to an unwitting user.
As the holiday shopping season approaches, you should stay on top of the latest fraud trends by reading the recent release of the RSA Quarterly Fraud Report: it shares insights from our FraudAction Intelligence and Data Scientist teams about our online behaviors in the 'new normal' and the ways that cybercriminals are adapting their work to exploit these changes.