QR codes were once a quirky novelty that prompted a fun scan with the phone. Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more about the eating habits of the woolly mammoth or military strategies of Genghis Khan. During the pandemic, QR codes became the default restaurant menu. However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity.
“As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they’re simultaneously useful and dangerous,” said Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.
Brewer says that attackers exploit these seemingly harmless symbols to trick people into visiting malicious websites or unknowingly share private information, a scam that has become known as “quishing.”
The increasing prevalence of QR code scams prompted a warning from the Federal Trade Commission earlier this year about unwanted or unexpected packages showing up with a QR code that when scanned “could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords. It could also download malware onto your phone and give hackers access to your device.”
State and local advisories this summer have reached across the U.S., with the New York Department of Transportation and Hawaii Electric warning customers about avoiding QR code scams.
The appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest.
“The crooks are relying on you being in a hurry and you needing to do something,” said Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester.
On the rise as traditional phishing fails
Sharma expects QR scams to increase as the use of QR codes spreads. Another reason QR codes have increased in popularity with scammers is that more safeguards have been put into place to tamp down on traditional email phishing campaigns. A study this year from cybersecurity platform KeepNet Labs found that 26 percent of all malicious links are now sent via QR code. According to cybersecurity company, NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites.
“The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,” Sharma said.
Sharma is working to develop a “smart” QR code called a SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams. But first, he needs buy-in from Google and Microsoft,