What Are QR Codes?
QR (quick response) codes were first created in 1994 by an auto company in Japan, Denso Wave. Visually? They look like they were designed by the first inventors of video game graphics. These days you can find them on everything from menus to billboards. Basically, the goal of the QR code is to link an object to a website containing all the information you’d need for that object.
In 2010, QR codes became mobile phone-friendly but required people to download a separate QR code reader app for the code to function. This multi-step process kept QR code usage relatively limited.
But, in 2017 Apple & Android both rolled out QR functionality directly in their smartphone camera apps. With a QR code scanner built-in to smartphone camera apps, and people already well-practiced at pulling out their phones to take pictures, QR code scanning is increasing at an incredible rate.
Increasing QR Code Popularity Means Increasing Risks
With the integration of QR readers in smartphone camera apps, no one has to explain what a QR code is or undertake multiple steps to use them.
Everyone is familiar with the camera app on their phone, which makes it easy to simply tell people, “Take a picture of this thing.”
There isn’t any additional training needed to figure out something new. No barriers.
People just need to take a picture, and magically, they are transported to whatever site you want them to go to. People no longer need to know how it works, just that it does.
This is dangerous.
The first reason is because people are being trained to scan without thinking. Secondly, when looking at a QR code itself, there’s nothing that would indicate one QR code is safe while another is dangerous. This delights hackers, because many other methods of trying to trick you have some visual checks in place to help prevent it.
For example, when it comes to website addresses a company wants you to visit, they are typically in plain text and typically a marketing team has fought to be sure the website address is written so it can be easily remembered and represents the company.
For instance, if a stranger saw a poster in a grocery store for Free Doritos with the instructions typed on the poster, Go to www.Doritos.com/free (just to be clear, NOT an actual page or offer, unfortunately), that makes sense, it’s easy to remember, and because you’re already familiar with seeing different company’s website domains, you’re able to make a quick mental check to determine if you think that address could be trusted.
Whereas if you were to see something like hXXp://www.d()rito$.net/free, you may very well get suspicious and decide to avoid typing that in and going to that site.
With website addresses, we’re able to perform a visual check to determine if it’s a site we would like to trust and ultimately visit.
However, with QR codes, there are absolutely no visual checks we can make to say, “something isn’t right with that QR code.” If you’re like me, it’s like looking at Aqua Blue, Marine Blue, or Seafoam Green paint chips at Home Depot; they’re all the same.
Which make them especially dangerous because you won’t know if they are good or bad until they’re scanned and either take you to a coupon for a free bloomin’ onion or connect you with something very dangerous.”(Side note, my wife was disappointed I didn’t scan because she wants a date night and a nothing says “date night” like a free bloomin’ onion.)
QR Case Study from a Hockey Game
The Tampa Bay Lightning is my team! And I was lucky enough to check out a game this season with fellow Arctic Wolf employees. After one of the Lightning players scored and that sweet puck dangled in slow motion on the MEGATRON video screen, the public address announcer said, “With the scoring of that goal, this means Outback will give all attendees of tonight’s game a free bloomin’ onion. Just scan the QR code on the screen to receive the coupon.”
In that moment more than 21,000 people were led to believe QR codes must be safe because good things come to those who scan QR codes.
I didn’t scan it.
I love a good coupon, but I know that QR codes can take you anywhere. By the time you discover where to, it may already be too late. (Side note, my wife was disappointed I didn’t scan because she wants a date night and a nothing says date night like a free bloomin’ onion appetizer.)
Educating Your Employees on QR Code Security Threats
Cybercriminals always seek new angles to trick employees. They might use hi-tech methods to manipulate a QR code to redirect you to a dangerous site or have you download an app containing malware. Then again, they’re just as apt to use low-lech methods like placing a sticker of their QR code over top of a legitimate QR code.
Could the bloomin’ onion code at a hockey game be trusted? More so than a QR code stuck to a lamp post with no other information printed around it. Yet, that doesn’t make it entirely safe.
Make sure your employees understand that it’s impossible to know where a QR code will take you until you’re already there. This is dangerous. They should be suspicious. For that reason alone, they need to be somewhat suspicious of any QR code they encounter. Even those that offer free bloomin’ onions, a temptation many of us are not equipped to turn down.
Ensure your employees are observant and notice any clues that might make them question the validity of the code offering. Does the URL match what they were expecting when they scanned the code? One thing to always keep in mind: Don’t download apps from a QR code. Instead, go to your app store to determine if you want the app or not.
Security Awareness Training Helps Ensure Employees Won’t Get Tricked
QR codes are just another tool in a bad actor’s bag of tricks. From phishing and social engineering attacks to “lost” thumb drives and shoulder surfing in cafés, and a whole lot more, employees’ knowledge of current cybersecurity best practices is always tested.
Do you have an ongoing security awareness program that delivers fresh, new, and relevant content to educate your employees about the latest threats and what to do about them? Arctic Wolf Managed Security Awareness® does. It prepares your employees to recognize and neutralize social engineering attacks and human error to keep your organization better protected.
