2020 was the year of mass QR (quick response) code adoption in Singapore.

From enabling digital payments to convenient contact tracing, these nifty codes have saved us from the dread of filling in countless forms (paper or digital) as we go about our daily lives. 

As with any platform used to facilitate data sharing, the immediate question that comes to mind is — is it safe?

While QR code technology itself is inherently safe, we must be wary of the ways cyber attackers could exploit these codes for nefarious gains, especially as our reliance on them grows.

HOW CYBER CRIMINALS COULD EXPLOIT QR CODES

During the pandemic, Unit 42, the threat intelligence team at cyber security firm Palo Alto Networks, detected cyber criminals discussing ways to abuse QR codes and target everyday consumers on underground online forums.

Unit 42 also found open-source tools and video tutorials online that offered training on how to use QR codes to conduct attacks.

These QR codes could offer an entry way to potential cyber attacks because it is unclear where the codes will eventually lead users to.

As they automatically redirect users to web pages, app stores, and payment pages, cyber criminals gain opportunities to insert themselves into the process.

There are several ways cyber criminals could make use of QR codes for malicious gains.

One method would be to hack into a business’ website and replace the QR code with their own.

With QR codes looking so similar, a swapped code would be incredibly hard to spot.

Scanning this code could route unsuspecting consumers to a phishing URL, where cyber criminals could request user credentials and then take control of email or social media accounts.

It could also lead users to unofficial app stores where they might unknowingly download a malicious app containing a virus or other types of malware. More serious consequences like data theft or a privacy breach could result.

In Singapore, about 210 cases of QR codes being used as mediums to perpetrate scams have been reported in the past three years.

These include internet love scams and China official impersonation scams, where victims scan legitimate QR codes to transfer money to the scammer’s bank account or cryptocurrency address. 

QR CODES: THINK BEFORE YOU SCAN 

So, how can we protect ourselves? While there is no certain way to tell if a QR code is being abused by cyber criminals, there are precautions we can take.

We have all been taught to "think before we click" on a suspicious link or email.

It is now time to apply this to QR codes — think before you scan.

Scan a QR code only if it is from a trusted source and preview the website and domain name to ensure that it is where you expect to be directed to.

There are many secure QR code scanning apps which allow users to preview websites before they visit them.

Certain browsers also allow users to disable automatic redirects to unknown websites, enabling individuals to double check the URL domain before deciding if it is trustworthy.

Be sure to download apps only from trusted sources such as Apple’s App Store or the Google Play Store. On top of that, do continuously update all smart devices to benefit from the latest security protections.

For their part, business owners and IT administrators need to carry out regular integrity checks on their sites and apps to ensure that their QR codes contain the right information and links.

Both the web and mobile browser versions have to be checked, as cyber criminals have been known to compromise only the latter to reduce the chance of detection.

Employers should also provide their employees with adequate training to educate them on cybersecurity best practices.

These include using strong and unique passwords for both personal and work accounts, setting up multi-factor authentication, and identifying phishing emails as well as unsafe virtual environments.

As many employees continue to work remotely, cyber awareness training will equip them with essential knowledge to make sensible decisions, lowering the risk of attackers gaining access to any personal and corporate networks, devices, and data.      

As with any technology that becomes ubiquitous in mainstream society, it is likely that we’ll see a rise in cyber criminals’ attempts to abuse QR codes in the coming months.

There is no room for complacency, especially as QR codes continue to play a vital role in Singapore’s fight against the Covid-19 pandemic.

Cybersecurity is a shared responsibility, and it is vital that we are aware of the risks to be able to take the necessary precautions to protect our devices and data. 

ABOUT THE AUTHOR:

Vicky Ray is principal researcher at Unit 42, the global threat intelligence arm of American cyber security firm Palo Alto Networks.