Cybercriminals are taking advantage of the convenience of QR codes to target us like never before. This incredible influx of fraud has endangered millions of Americans. These two-dimensional barcodes have become indispensable to our everyday lives. You can use them for everything from payment at gas station pumps to getting fuel saving promotions. Their ubiquity poses enormous security threats. A recent study revealed that a staggering 26% of all malicious links are currently sent via QR codes. This increasing phenomenon has created a dangerous trap for unsuspecting users.
Denise Joyal, a resident of Cedar Rapids, Iowa, has learned to be wary of QR codes. “I’m in my 60s and don’t like using QR codes,” she shared. And lots of other people echo her feelings. Hackers are taking advantage of the rush that usually accompanies the use of such codes. From critical healthcare payments to concerts and sporting events, the convenience of scanning a QR code often eclipses any security risks.
The Rising Threat of Quishing
Like the technology itself, as the use of QR codes became widespread so did the methods used by cybercriminals to exploit them. Attackers employ a tactic known as “quishing” to ensnare unsuspecting users. They generate bad QR codes that people unknowingly scan, directing them to a fraudulent website or prompting them to provide personal information. Gaurav Sharma, an expert in cybersecurity, highlights this trend: “The crooks are relying on you being in a hurry and you needing to do something.” This kind of manipulation of human behavior is particularly hazardous—we will see how it can lead to painfully large data breaches.
Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant, emphasizes the duality of QR codes: “They’re simultaneously useful and dangerous.” He cautions that it’s very simple for attackers to be able to subvert the intention of legitimate flyers and documents. They’re able to print their own QR codes and swap them for the real ones. This combines to create an acute challenge for the average user to identify when they are being deceived.
State and local consumer advisories are sounding the alarm nationwide. Their latest public safety campaign addresses the prevalence of QR code scams. The New York Department of Transportation and Hawaii Electric are among those urging customers to exercise caution when scanning codes. By some estimates, as high as 73% of Americans are scanning QR codes without confirming the source, creating a huge opportunity for malicious intent.
Innovations in Security Measures
In recognition of these increasing concerns, some companies are preemptively implementing new protections to help you feel more secure scanning QR codes. The Children’s Museum of Indianapolis upgraded their QR code systems a couple of years ago to better protect against scams. Natalie Piggush, a spokeswoman for the museum, explained their strategy: “At the museum, we use stylized QR codes with our logo and colors as opposed to the standard monochrome codes. We give an example of what users will experience when they scan one of our QR codes. On top of that, we regularly audit our current codes for any illegal changes or misallocated codes.
This level of vigilance is of utmost importance, as cybercriminals are constantly discovering new and creative ways to exploit systems. The museum’s approach is indicative of a larger movement among organizations interested in protecting their audiences. While these measures are all good starts, experts such as the federation’s Gaurav Sharma say tougher solutions are needed.
Sharma is working to create a new generation of advanced “smart” QR code, SDMQR (Self-Authenticating Dual-Modulated QR). This new and exciting technology comes with built-in security features that were intentionally manufactured to stop scams. As he recognizes, getting it to be adopted broadly will take a lot more — notably, the buy-in of big tech titans, including Google and Microsoft.
The Future of QR Codes and Cybersecurity
With each step forward in technology, new cybersecurity challenges are created right alongside these advancements. Rob Lee, a cybersecurity expert, notes that QR codes were not initially designed with security in mind: “QR codes weren’t built with security in mind. They were built to make life easier, which makes them perfect for scammers.” This built-in weakness begs the question of how safe today’s common QR code usage in daily transactions will be moving forward.
Brewer cautioned that we’re in a “cat and mouse game” in cybersecurity. Solutions are always being created, and attackers immediately turn around and find new ways to exploit them. “People will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,” he says.
For people such as Denise Joyal, this changing and confusing environment is deeply concerning. “I definitely worry about security issues,” she states. There is truly nothing I detest more than when one is required to scan a QR code to take advantage of a promotion with no other option offered to engage.