QR codes: a cybersecurity threat

In the crisis, technology became one of the most important tools, as the use of mobile devices grew exponentially thanks to their useful functions. Applications such as Zoom, Google Meet and Microsoft Teams were the “salvation” of companies and educational institutions that were able to continue their activities in the midst of enforced isolation.

However, none of these apps would have been what they were without two fundamental tools: the camera and the Internet. With these two supports, even the simplest software can take centre stage. Just as QR codes have been in the last year and a half.

This little box filled with black and white shapes is one of the technological options that has been used the most during the gradual economic revival. Considering that it fulfils one of the most important requirements of any pandemic: social distancing.

With QR, for example, it was no longer necessary to print out menus for a restaurant. Now all you need to do is take out your smartphone and scan the corresponding code; a simple way to take care of your health and, of course, the environment.

As BeyondTrust put it in a press release, “this useful tool has become a quick and easy way to steal user information and commit cybercrime. Once scanned, it runs the risk of implanting spyware or malware that can compromise a person’s identity”.

“Scanning a QR code automatically uploads or initiates a phone call to a predefined number. With all the recent robocall and SIM Jacking attacks. This is another method for someone to gain access, without your permission, to your phone and identity. Basically, you are calling someone you don’t know and handing over your caller ID information.”

In this way, you can also become a victim of phishing, falling into a fraud that can result in the partial or total loss of money held in a bank account.

A QR, for the most part, redirects to websites that, in many cases, could be considered untrustworthy. The content within these websites could be harmful to people’s private information. Either by malware or other unwanted content directly attacking their data. Or gradually becoming a threat to them.

“Scanning links to a page directly in an app shop can make an app easy to download. While this is convenient, the listing could be malicious (especially on Android devices). Or it could be a fake page that uses an embedded URL to trick you into loading an unauthorised malicious app. The best option is to always navigate to an app yourself and not rely on a direct link.”

We recommend that if you ever see a QR code on a wall, building, computer screen or even a business card outside your home, do not scan it. A cybercriminal can easily paste their malicious QR code on paper over a real one, create an imitation and you won’t be able to tell if the content is safe or malicious.