Tech

QR Codes: Powerful Technology with a Growing Phishing Danger

Post by Anđela Milenković
Subscribe to our blog articles!
January 28, 2025 | 7 minutes read

In 2024, 90% of all cyber incidents resulted from human error or behavior. This indicates that many attacks involve social engineering, where cyber criminals use social skills to compromise the credentials of individuals or organizations for malicious purposes [1]. In addition to phishing attacks, considered the most common initial attack vectors, other types of social engineering attacks include spear phishing, vishing, smishing, and even QR code phishing.

QR codes have become commonplace and are used daily. Smartphones scan QR codes, converting them into a useful form for the user. While QR codes offer convenience, they pose security risks, especially when malicious QR codes redirect users to phishing sites or download malware onto their devices.

In this blog, you will learn more about how QR code technology was created, the opportunities QR codes offer, and how they work. Additionally, we will discuss how malicious actors can exploit QR codes for illegal purposes, and provide guidelines on how to protect yourself from QR code phishing.

Understanding QR Code Technology and Its Risks

QR codes (Quick Response codes) are two-dimensional barcodes that can be easily scanned with a smartphone camera or a code reader app. Once scanned, they provide quick access to a website, typically a URL linked to the code. Their main function is data storage, and they can hold significant information, including addresses, product details, or contact information.

QR codes are black squares arranged on a white background in a square grid [2]. When the QR code is scanned, the phone’s camera interprets this pattern and displays its information. The information can range from links to websites to contact details and even event information. The purpose of QR codes is to store data such as URLs, contact information, text, email addresses, phone numbers, Wi-Fi network details, and payment information.
Unlike one-dimensional barcodes that only scan from top to bottom, QR codes are two-dimensional, meaning they can be scanned both vertically and horizontally.

QR codes are often used because they provide a simpler way to access websites – they only require a camera to scan, rather than manually typing in a URL. However, when a QR code links to a malicious website, it becomes a form of phishing designed to trick users into entering their login credentials or installing malware on their devices.
This is known as QR code phishing, or “quishing.”

Quishing is a lesser-known scam, which makes it an attractive option for cybercriminals. The main challenge with this type of attack is that QR codes are harder to detect and block compared to traditional phishing methods.

The History of QR Code Development

QR code technology originated in 1994 when developers in Japan created it to meet the needs of the company Denso Wave. Denso Wave is a subsidiary that manufactures automatic identification products, including barcode readers and related products, industrial robots, and logic controllers.

In 1992, Research & Development engineer Masahiro Hara took on the challenge of developing a new two-dimensional code system. The idea was to simplify tracking components used in the automotive industry. This system was designed to address the limitations of traditional barcodes, such as susceptibility to damage and smearing, which could lead to scanning errors. [3]

After two years of development, the QR code was created. It stored 200 times more characters than a standard barcode and stayed readable even with 30% of its surface damaged. Since its release under a free license, businesses and industries have widely adopted QR code technology.

Today, QR codes are much more widespread and serve various purposes. They are used in restaurants for ordering. Each table has a QR code that customers scan to place their orders directly. QR codes can also connect users to wireless networks, provide links to download applications, and display text or open websites on a device. Additionally, individuals use QR codes to share their store locations and connect with others on social networks.

A Study of Phishing Threats in QR Code Technology

Researchers from DePaul University and the Karlsruhe Institute of Technology, specializing in security and technology, have studied how people react to QR codes that may contain phishing links.

The study involved 42 participants who scanned QR codes with different types of links. The results showed that 67% of participants opened the link without first checking the URL. 52% scanned the QR code because of the eye-catching text above the code. Because the link contained the word “phish,” 44% of participants recognized the danger and chose not to open it. [4]

The study highlights the need for improved security measures in QR code scanning applications to alert users about potential phishing threats. Only 7 participants decided not to open the URL due to a clear phishing warning in the QR code. The results suggest that most users do not perform a thorough security check before opening a URL.

How to Spot and Avoid QR Code Phishing

When defending against QR code phishing, it’s important to be cautious when receiving an email with a QR code. First, we should ensure that the email is legitimate. Pointing the phone’s camera at the code typically reveals the URL it leads to, so we should avoid accidentally opening the link while checking it.

To protect yourself from QR code scams, it’s best to follow these specific proactive steps:

  • The first recommendation is not to scan unreliable QR codes, especially those from unknown or untrusted sources.
  • After scanning a QR code, check the URL before visiting it or entering sensitive information.
  • Implement secure scanning practices by using trusted applications. Verifying the source of codes before scanning, and avoiding QR codes in frequent communications.
  • Use multi-factor authentication (MFA) to ensure your devices are regularly updated with the latest security patches.
  • Companies should conduct regular security checks. This includes phishing simulations and vulnerability scans of their networks and systems, to identify potential security gaps that these attacks could exploit.
  • It’s also recommended that companies use an email security solution that can detect and block emails containing malicious QR codes before they reach an employee’s inbox.

Conclusion

QR codes offer many benefits, such as an easy way to install apps or access more information about services and brands. However, it is important not to let the convenience of scanning QR codes overshadow our judgment when protecting our privacy. We should remain vigilant and follow best practices to protect ourselves better and avoid becoming victims of quishing.

The first rule is to be cautious and always check the source of the QR code before scanning it. Verify the sender’s email address or phone number. When the sender seems suspicious or the information doesn’t match expectations, it’s safer to avoid scanning the code.
Already scanned the code? Double-check the website’s URL.
If there is no “https” in the address bar, avoid entering sensitive information.
It is also advisable to use a secure QR scanner with built-in security features that check the safety of the link before you open it. Additionally, ensure that the software on your devices is up to date. Outdated software often has security vulnerabilities that hackers can exploit.

In the end, protecting yourself from QR code phishing requires a combination of caution, awareness, and the use of proper security tools.

  • [1] SentinelOne. (2024). Key Cyber Security Statistics for 2024. SentinelOne.
  • [2] Garfinkel, S., & Adams, C. (Eds.). (2013). Financial Cryptography and Data Security: FC 2013 Workshops, USEC and WAHC 2013, Okinawa, Japan, Revised Selected Papers. Springer.
  • [3] Denso Wave. QR Code development story. Denso Wave.
  • [4] Sharevski, F., Mossano, M., Veit, M., Schiefer, G., & Volkamer, M. (2024). Exploring phishing threats through QR codes in naturalistic settings. USEC 2024, NDSS Symposium.

Anđela Milenković

A smiling woman in a red suit, posing with her arms crossed.

Anđela Milenković

I am a Cybersecurity Engineer with professional experience since 2018, dedicated to protecting organisational computer networks and systems against a diverse range of threats. Holding a master’s degree in cybersecurity and numerous certifications, I am dedicated to perpetually enhancing my skill set and expanding my knowledge base. My passion for sharing knowledge with others has led me to embark on a writing journey, where I aim to impart my cybersecurity insights and expertise to a wider audience.

Share this post

Share this link via

Or copy link