That of QR code It’s a pretty dated technology (for the record, they were invented in Japan In the 1994 from the company Dense Wavesubsidiary of Toyotato trace car parts), but is still widely used today in various fields. Including that of cybercrime. A QR code in itself is neither safe nor dangerous: it is simply a “graphic link” that refers to an action. It can open a legitimate site, let us access a Wi-Fi network or show us a menu, but it can also direct us to a malicious web page, built to steal data or trick us into carrying out operations that we would not knowingly do. In this study we therefore try to clarify because QR codes can be dangerous becoming a vector of possible cyber risks in specific contexts, what are the most realistic scenarios of abuse and how we can protect ourselves with common sensewithout falling into the trap of mistrust or, even worse, that of paranoia.
Because QR codes can be dangerous
Even though QR codes have existed since the 1990s, what accelerated their use was the unforgettable COVID-19 pandemica period in which having quick solutions that allowed contactless access to various services was necessary. Starting from 2020 The use of QR codes has grown and we now find them practically everywhere: on screens, posters, products, cards and devices without a keyboard, such as smart TVs. Technically a QR code is a two-dimensional code that contains camera-readable data: That data can represent a web address, text, and so on. No complex infrastructure is required and anyone can generate one in a few seconds by taking advantage of an infinite number of online services and applications useful for this purpose. And it is precisely this popularity and ease of generating them that also makes them interesting for cyber criminals.
There are documented cases of QR code-based scams, but their impact is still relatively limited compared to other cyber scams. The most common episodes occur in open places such as stations or parking lots (where they might be found on parking meters or in the form of fake fines on car windshields, where a code can be replaced with a fraudulent sticker. In other cases, scammers might even send home paper letters containing fraudulent QR codes (as happened in Switzerland some time ago). Scanning the QR code is often not enough to cause damage: social engineering also comes into play, that is, the set of techniques that exploit people’s trust and emotional reactions, exploited by cyber criminals to trick their victims into performing dangerous actions (such as filling out forms, providing payment information, and the like).
Not surprisingly, as underlined by the NCSC (National Cyber Security Center) the QR codes «are increasingly used in phishing emails» carrying out a practical call quishingfusion between “QR” And “phishing”. Phishing, for the record, is a technique that aims to trick the victim into providing personal information by pretending to be official communications. Inserting a QR code in a message has several advantages for the attacker: if a user can be wary of a suspicious link, an image containing a QR code could be interpreted as absolutely harmless and, consequently, he could scan the code without too many problems. The scam would then find its effective completion in the event that the user carries out the actions intended by the cyber criminal who set the trap. For example, downloading applications which actually hide malware, by filling out online forms designed to perpetrate identity theft or bank fraud, etc.
How to protect yourself from malicious QR codes
For defend yourself from malicious QR codesit is important to pay attention to the place (physical or digital) where you go to scan the codes in question. Pay attention to these examples.
- Restaurants, pubs, bars, and similar: in places like these the risk is generally low, given that QR codes are usually used by the managers of these places to download the menu, price list, etc.
- Car parks, stations, public toilets, etc.: in unattended spaces like these, the risk of encountering malicious QR codes is decidedly higher. Here you should keep your alert threshold higher.
- Email, direct messages and various online communications: given the increase in cases of quishing via e-mail, even in this case you must pay maximum attention to suspicious messages that invite you to scan a QR code.
As we have already explained to you, scanning a QR code in itself should not involve major risks; the problem arises later, when potentially dangerous actions are performed on the web page that opens once the two-dimensional code has been scanned. In this case, it is good to keep in mind do not provide personal information (such as payment ones) and do not download apps of any kind (if not through the official store of your device). Another “bonus” tip provided by National Cyber Security Center of the United Kingdom, better use the scanner installed “as standard” on your smartphone rather than third-party apps.
