As businesses try to create a contactless experience amid the coronavirus pandemic, many have turned to QR codes. We’re seeing a lot of restaurants using them to display their menus on smartphones and on receipts for a contactless pay option.
Within popular apps like Snapchat and WhatsApp, QR codes are an integral part of the user experience. Users can use codes to sign into their account, exchange contact information and make money transfer. In countries like China, QR codes are now the de facto way of life through apps like WeChat.
Of course, this technology comes with its risks. I recently spoke with NBC 10 Boston’s Leslie Gaydos about why QR codes make it really easy for scammers to send phishing links to you. For starters, there is no way to tell where the code will direct you before scanning. This means when an employee gets phished on their personal time, like going to a restaurant, it won’t only affect them personally, it could also compromise their organization’s infrastructure.
A low-tech, yet highly effective phishing method
Just how easy is it to put together a QR code phishing scheme? Lookout actually conducted an experiment a few months back at the annual RSA Conference. We wanted to see how aware security professionals were of mobile cyberattacks while attending a security conference.
Our method was simple: a fake phishing attack using a QR code at our booth advertising a chance to win an iPhone. The code actually pointed to a URL that Lookout manually classified as malicious for the purpose of the demo, meaning that it would be immediately blocked if the user had Lookout phishing protection on their mobile device.
To our surprise, many of the RSA attendees did not have our anti-phishing on their mobile devices and were directed to the site. Luckily for them, our webpage was harmless and had a message educating them about mobile phishing. Had it been a real phishing scam, they could have put themselves and their corporate data at risk.
Why QR code phishing is so effective
Our simple experiment demonstrates how easily attackers can build malicious content into a QR Code. We’ve seen QR phishing rise in popularity precisely because they require so little effort to be successful. And with QR codes being used everywhere for contactless communication, attackers have many opportunities to paste their own codes over existing ones without anyone knowing.
QR phishing can also be an effective way for cyberattacks to access your organization’s sensitive data. For example, your employee could scan a code that leads to a fake bank login page. Once their login credentials are entered, an attacker can use software that crawls the internet for other sites with that employee’s username. When matches are found, the software enters the phished login credentials to log into the account. If your employee uses the same login credentials across multiple accounts, including ones related to work, an attacker could gain access to your organization’s infrastructure.
To protect your device from these attacks, we recommend thinking about QR codes the same way you think about other phishing tactics like email scamming and URL spoofing. When scanning a code, check the URL on the notification before clicking to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, exit out of the notification.
Attackers are constantly using new phishing methods like QR codes to trick users into giving their information. While training is effective for prevention, a well-placed attack can catch even the most trained professionals off-guard.
Protecting you at home and on-the-go
More recently, we conducted another phishing test. This time at Les Assises de la Sécurité in Monaco. We sent links via SMS to exhibitors and attendees that opted into SMS communications. Nearly 50% of these security professionals clicked on the link, demonstrating how easy it is to phish even experienced professionals on mobile devices.
QR codes or not, mobile phishing is successful because mobile devices are personal. Anyone who has lost a smartphone or tablet has realized just how much we rely on them in our everyday lives — whether it be to send a quick text to a friend, pay for lunch or navigate from point A to B. As we continue to work remotely, mobile devices have also become the tools we use to stay productive at home and on the go.
More than ever, you need a way to discern trustworthy sources from ones vying to steal your employee’s information. In short, you need security that can handle phishing even when your employees aren't within the office security perimeter.
Visit our mobile phishing page to learn why mobile phishing is a threat to your organization.
Copyright: Lookout.com // Hank Schless, Senior Manager, Security Solutions