Stop and think about how many times you use QR codes in your daily life… In any situation… And also think that their ease of use has made them an interesting ally for criminals who can use them to steal data, access sensitive information or fraudulent transactions. Therefore, we ask you to review in this article how QR codes can give us more than one headache and how we can avoid it.
How many times have you used a QR code to access a restaurant menu? They are also often used to access payment services, catalogues, connect to public WiFi networks, generate loyalty cards in shops, with our smart watches, access events such as concerts, museums… If you stop to think about it, the use of these types of codes is very widespread.
Focus the camera and voilà. So simple and yet so dangerous if the necessary precautions are not taken. There are recurring fraud alerts warning us of the use of QR codes to steal information, access fraudulent payments or download malware onto our devices.
How to avoid risks
Let’s not get carried away, let’s review some of these risks and how we can act to avoid them.
- Qrishing is a type of phishing that uses QR codes. Through a web page, email or message, criminals get the user to scan a code that redirects them to a fraudulent page that usually asks for sensitive information.
- Downloading malicious code or malware onto the victim’s mobile device after scanning a code. Vulnerabilities in the phone are exploited to perform various actions, for example, leaking stored information, subscribing to payment services, sending emails… In some cases, the victim is not even aware of what is happening, but may notice that the device slows down excessively.
- Qrljacking, or session hijacking, consists of hijacking the account of a service that uses the QR code login function. By scanning a modified QR code, the user accesses an account that impersonates the original one and in which their credentials are captured, thus allowing access to their account information. One of the latest alerts from Incibe (Instituto Nacional de Ciberseguridad) warned of this type of crime with Microsoft accounts. It has also happened with the WhatsApp web service.
Before scanning, think about
Incibe itself provides us with some recommendations to avoid falling into these scams:
- The first thing is to ensure the origin of the code we want to scan and that it redirects to the correct page. To make this task easier, we can disable the automatic opening of QR codes in the browser and use applications that allow us to see which URL the code redirects to before opening it. This can help us to detect that the page may be fraudulent.
- If the QR code is in the physical world, in a restaurant or on a display, the way criminals do it is to put a sticker over the code. It is important to look carefully and not scan if in doubt.
- Do not provide any private data or passwords to websites that you have accessed via a QR code.
And remember, before using a QR code, think.