12 May Think Twice Before Scanning That QR Code

QR CODES – short for Quick Response codes – are everywhere these days, on the tables at restaurants, on posters, print and electronic advertising, and even during TV programming and commercials.

But now, even these are prone to misuse and if one of your employees scans a bogus one, the scammers can potentially steal funds and business or personal data.

The FBI recently warned that criminals are using tampered codes to redirect people to malicious sites that could access your firm’s sensitive data.

They can send the code through e-mail as promotion codes. They also may paste the fake code on the original one, such as on parking meters, flyers, or a restaurant table where the original code would bring up the menu.

The FBI says criminals are using QR codes in two ways:

1. When scanned, the code takes you to an imposter phishing website trying to trick you into logging in, hoping that you will use an existing username and password, or share other personal or banking information.

The QR code releases malicious code – such as malware, ransomware and trojans – onto your phone, allowing criminals to track information from your phone and even lock you out of the device and only releasing it if you pay up.

2. The QR code can compose pre-written e-mails and send them from your account.

These e-mails are often new phishing e-mails aimed at getting your contacts to open and click on malicious links. Scammers can also program the codes to open payment sites and follow social media accounts.

Train Your Staff

Cyber security firm Aura and news site TechTarget recommend training your staff to:

• Avoid opening QR codes in mail – Do not scan QR codes received in regular mail and e-mails. Delete the latter and notify the IT department.
• Avoid log-in pages – If a QR code takes you to a log-in page, do not enter your credentials.
• Look for signs of tampering – Scammers may place QR code stickers over legitimate ones. Check to see if the code is on a sticker above another one, or for signs it has been tampered with.
• Preview the URL first – The box that opens when you scan a QR code includes text identifying the site to which it will direct you. Beware of an URL that doesn’t look complete or if you can’t read it.
• Check for signs it’s not legit – Clues a site is not legit include misspelled words or odd grammar. The design may be shoddy and the images low resolution.
• Watch out for QR codes in public places – These codes may have been placed there by a scammer.

IT department actions

Your IT and/or security team should also ensure that:

Security software is up to date – Ensure that users are running the latest security software on mobile device that ave access to corporate resources. The software should be able to protect against device takeover attacks, phishing attacks and other mobile device exploits.

MFA is implemented across the organization – Implement multifactor authentication requirements across your company as an interim measure, and then gradually work on adopting an authentication solution that does not rely on passwords.

Many QR code-based attacks are designed to trick users into entering their passwords so that cyber criminals can steal their credentials. If you can eliminate the need for passwords, you can greatly reduce the success rate of these attacks.