The popularity and convenience of QR Codes (Quick Response codes) has made the technology ubiquitous. In the USA in 2022, around 89 million smartphone users scanned a QR code using a mobile device. QR code popularity is captured in a 2024 report on QR Code trends, which found a 47% increase in QR code usage each year. QR Codes are easy to use, with most Android and iOS smartphones offering in-built QR Code scanners.
Companies of all sizes and sectors use QR codes for marketing, communication with customers, and even logging into accounts. It is this trust and convenience that scammers exploit. Cybercriminals love popular technologies because they are trusted and have a large user base. Hackers focus on popular and trusted technologies to scam users, hack accounts, cause malware infection, etc. "QR code phishing" is on the rise because of the popularity of the technology. Organizations, including the FBI, FTC (Federal Trade Commission), and the National Cyber Security Center (NCSC) in the UK, release regular notices about the dangers of QR code phishing. A recent FTC announcement warns, "A scammer's QR code could take you to a spoofed site that looks real but isn't. And if you log in to the spoofed site, the scammers could steal any information you enter."
Understanding how cybercriminals use QR codes to hack your corporate network is essential for all businesses. Here, TitanHQ looks at how anti-phishing tools, like PhishTitan, can prevent QR codes from causing security incidents.
How QR Code Phishing Scams Work
QR codes work by embedding instructions, like a link to a website, into a black-and-white dot-based image. They work a little like the barcodes you see on food in a store. A smartphone camera is typically used to scan the QR code, but apps and specialist QR code scanning devices are also used. Once scanned, the data held in the QR code is translated into human-readable information, or now, more commonly, presented on screen as a clickable website URL. QR codes are increasingly used to navigate a website, online videos, or download an app fast and simple. It is this incorporation of weblinks in a QR code that a cybercriminal exploits to carry out a phishing attack by sending unsuspecting users to a malicious website.
QR Code phishing is widespread, and anyone using QR codes can expect some form of scam to exploit the process. However, popular scams target payroll and HR personnel, administrator accounts, and the public.
Types of QR Code Phishing
QR codes are convenient for users, but they are also convenient for cybercriminals. As a result, there are a few variations on the QR code scam theme doing the rounds:
1. Quishing (QR-Phishing)
Quishing is a word from a mashup of QR codes and email phishing. Quishing fraudsters embed a malicious QR code into a legitimate-looking email. A recent example of a Quishing attack targeted Microsoft Office 365. This Microsoft app targeted Quishing campaign used QR codes to steal login credentials. Fake Office 365 emails built trust with the recipient (target). The fake emails urged the target to listen to missed voicemail messages by scanning a QR code. When a targeted employee scans the spoof QR code, they are taken to a fake Office 365 page. The fake Office 365 page looked highly convincing. Once on the page, the employee was requested to enter credentials to access the message. If the employee submitted their credentials, they were sent to the fraudster to use with the Office 365 app.
QR codes are also regularly used in various scam types, such as tax scams and car parking machines. The UK tax department, HMRC, supports QR codes but only uses these for "...letters and correspondence; we sometimes use QR codes but only to take you to guidance on GOV.UK — we will not take you to a page where you must input personal information." However, even this limited use of QR codes has spawned cyber scams surrounding QR codes and tax. Cybercriminals are using people's ignorance of how HMRC uses QR codes as an exploit route. The QR code scammers send out spoof HMRC texts or emails that contain a QR code. If the person scans the QR code, a link will appear. However, if the person follows this link, they will be on a false web page requesting bank details and other personal data. Every tax season, we will likely continue to see the use of QR codes to carry out tax fraud.
2. QRL Jacking (Quick Response Code Login)
Login with a QR code has become increasingly popular because of the convenience offered to users when they log in. QR code login is a Single-Sign-On (SSO) form for convenient sign-in across multiple apps. SSO is convenient for companies and their employees. The user must scan a QR code on a trusted device connected to the account, and they will be successfully logged in. Cybercriminals are, again, using this convenience and trust to phish users. International cybersecurity organization OWASP (Open Worldwide Application Security Project) has this to say about the abuse of QR code SSO by QRLJacking, "such (an) approach can be easily abused to fool a user into authenticating a malicious attacker on behalf of himself to sensitive web services, defeating the whole point of such an approach!"
A QRLJacking attacker uses the process on a legitimate site that relies on a QR code login to generate a sign-in session; this generates a QR code to log in. The attackers then capture this QR code (for example, using screen scraping) and place this legitimate QR code on the hacker's phishing site; the phishing site is made to look exactly like the original legitimate site the QR code was taken from. Once the QR code is in situ, the attacker uses spear-phishing to target individuals, tricking them into navigating the spoof site. The unsuspecting target then signs into the site, imitating the legitimate login page using the QR code and the employee's trusted device. The login session generated allows the attacker to enter the legitimate site.
This scam is more challenging because it is time-sensitive; however, as it offers access to a high-value or sensitive account, cybercriminals will pursue this tactic. According to OWASP, this type of QR code scam targets privileged accounts and information disclosure.
3. QR Crypto-quishing (QR Code Cryptocurrency Scams)
The FBI is concerned about many forms of QR code phishing. One area of focus by the FBI is frauds that involve cryptocurrency. The FBI points out that many Crypto transactions use QR codes associated with crypto accounts. This makes these transactions a target for QR code scammers. One piece of research into the problem of QR Crypto-phishing found that 4 out of 5 Bitcoin QR code generators were scams. The fraud works like this: the Bitcoin QR code generator generates a code for the user's crypto wallet. Instead, the QR code generated inserts a malicious link, replacing the user's wallet link. Another type of QR code crypto-scam involves capturing persistent consent (prior authorization) to use the wallet; this allows the fraudster to drain the wallets of cryptocurrency investors.
4. Drive-by-QR Code Phishing
Drive-by-downloads of malware are one of the most insidious forms of malware infection. A person must land on an infected site, and a flaw in any software they use can open the door to malware infection. QR code phishers take advantage of drive-by-download opportunities by sending phishing emails with QR codes that take the recipient to an infected website: one scan of the code and their mobile device may become infected with a trojan.
Ways to Prevent QR Code Phishing
QR code phishing is designed to evade detection by conventional security tools. However, phishing and other scams, including QR code phishing, can be stopped by applying a series of layered and advanced solutions. The following systems are integrated to prevent the QR code phishing cycle:
1. Train Your Employees: Begin preventing QR code phishing success by educating your workforce. Regular, behavior-based security awareness training should be used to train employees on the perils of QR code phishing. Also, ensure that you include QR code phishing templates in your simulated phishing exercises, so employees understand what these phishing emails look like, and the different methods used to steal credentials and other data.
2. Use a DNS Filter: This will break the phishing cycle by stopping users from navigating to a malicious website. The DNS filter creates a ‘blocklist’ of URLs using a dynamic system based on a “threat corpora” based on the data from millions of subscribers. These data are used to train Machine Learning algorithms. The result is that even emerging malicious URLs are spotted and added to the block list.
3. Apply Email Filters: Email filters such as SpamTitan use advanced technologies, including AI and NLP (natural language processing), to catch evasive phishing techniques, including QR code phishing. Advanced AI-based algorithms detect even emerging threats and zero-minute phishing attacks.
4. Advanced Phishing Detection: Education, DNS filtering, and email filters are three layers of protection, but the fourth layer is to detect the QR code phishing threat before it enters the employee inbox. PhishTitan provides advanced phishing detection, including the detection of Quishing attempts. PhishTitan stops an employee from navigating to a malicious website initiated by QR codes and other phishing tactics. PhishTitan’s power is based on advanced AI-based algorithms that can spot difficult-to-detect and complex phishing attacks, and PhishTitan keeps ahead of the quishing fraudsters.
How PhishTitan Stops QR Code Phishing
Researchers have identified a 51% increase in QR code phishing, focusing on stealing Microsoft two-factor authentication (most popular QR Code phishing) and banking credential theft (second most popular use of Quishing). URL redirects to malicious websites are a popular and successful method used by QR code scammers. One of the most effective ways to stop QR code scamming is to use anti-phishing technology like PhishTitan. PhishTitan is an advanced anti-phishing platform that uses AI-powered phishing detection. The use of intelligent technologies is vital in QR code phishing detection. Conventional email security solutions, like the built-in defenses in many productivity apps, need help to detect QR code phishing. PhishTitan is a multi-tool anti-phishing solution that uses multiple layers of detection and prevention to capture hard-to-detect and evasive phishing techniques, including QR code phishing. These layers of protection include the following:
AI-Driven Threat Intelligence
QR code phishing is subtle, clever, and evasive. The chain of attack must be intercepted to identify and stop QR code attacks. PhishTitan uses AI to analyze the body text of an email to identify malicious content, including malicious QR codes. PhishTitan uses training data from a vast threat corpus to identify dangerous URLs and spoof web pages. Once identified, any employee is stopped from navigating to these malicious web pages.
Real-Time Threat Analysis
Analysis by PhishTitan is done in real time. Even advanced phishing threats, including QR code attacks are captured before an employee can accidentally follow on a malicious link.
URL Rewrite Detection
PhishTitan adds an additional layer of protection by rewriting URLs using a unique ‘Link Lock’ service. Potentially dangerous URLs are then placed in “Link Lock,” where PhishTitan inspects and rewrites them, checking for links to malicious websites.
Post-Delivery Remediation
Another layer of PhishTitan protection is Post Delivery Remediation, ensuring that fine-level detection and prevention ensures that employees' inboxes are safe.
Time of Click Protection
The next layer of protection offered by PhishTitan is ‘time of click’ protection. PhishTitan checks any destination points in a QR code to ensure that if a user clicks on a link, a malicious website is blocked.
Integration with M365
PhishTitan seamlessly integrates into M365, enhancing Microsoft’s built-in email security.
Talk to TitanHQs experts on how to keep you employees and your company safe from QR Code phishing.