A new summer craze is hitting the world of cybercrime – weaponized Quick Response (QR) codes. According to cybersecurity firm Darktrace, last month saw a marked increase in “Quishing” attacks.
“Recently, threat actors have been identified using QR codes to embed malicious URLs leading the user to compromised websites containing malware or designed to harvest credentials,” says Darktrace.
So-called “Quishing” attacks are likely to become far more common across the US and Europe during August, when company executives and other key personnel are often on vacation and, therefore, more vulnerable. Someone squinting at their phone on a sunlit beach is not likely to pause before scanning a QR code on the bar menu, no matter what the company back home has advised.
Nevertheless, at this time of the year, many cybersecurity firms frequently offer helpful advice for companies to convey to staff away from the office. But hard-to-follow instructions such as “be cautious,” “check the destination site of the QR code” (How?), and “visually examine QR codes for any signs of manipulation” (Ever tried?) are likely to be honored more in the breach than in the observance.
QR codes were invented in Japan in 1994 to label auto parts. Their widespread adoption in the 20 years since then has now sadly become yet another example of a new technology being universally endorsed with scant or little attention to future data privacy or cybersecurity. And this summer, the number of QR codes on display across the globe is truly enormous. Juniper Research predicts that 2.2bn people worldwide will leverage QR codes, probably with their smartphones, in 2025, up from 1.8 bn in 2020.
As QR codes are constantly scanned at restaurants, bars, airports, museums, and countless other places, it’s hard to see how anyone away from the office could easily avoid using them. Even so, inadvertently scanning fake or malicious QR codes can have severe consequences for the user, their family, and their employer. In addition to embedding malicious URL codes, a weaponized QR code can send emails from the victim’s address and be programmed to access payment sites and monitor social media accounts.
