News &

Keep up to date with cyberwhite

QR Codes: A Security Threat

With the advent of the NHS Track and Trace app, now more than ever many of us are scanning QR codes. 
So, what do we need to watch out for, and how can you protect yourself from malicious versions of these mobile shortcuts? 


If it seems like QR codes have popped up everywhere these days, you’re right. Ever since they were first used by the Japanese auto industry to streamline manufacturing processes, companies everywhere have capitalised on the benefits of QR codes. They’re cheap to deploy and can be applied to almost anything — which is why every industry from retail to healthcare is now using them as a quick and easy way to link people to websites, promotional campaigns, store discounts, patient medical records, mobile payments and a whole lot more. 


QR codes aren’t just cost-effective and simple to use. They’re also essential, especially during a pandemic where contactless transactions have become the norm. What’s more, majority of us now own a smartphone, and nearly all of these devices can natively read QR codes with no third-party app required. So, QR codes are clearly having their moment.


What The Numbers Say (Hint: It’s Not Good)

MobileIron wanted to better understand current QR code trends, so in September they conducted a survey of more than 2,100 consumers across the U.S. and the U.K. It confirmed that QR codes are indeed more widely used today. For instance, in the last six months, more than one-third of mobile users scanned a QR code at a restaurant, bar, retailer or on a consumer product. 


The results also highlighted some alarming trends: Mobile users don’t really understand the potential risks of QR codes, and nearly 71% of respondents were unable to tell the difference between a legitimate and malicious QR code. At the same time, more than 51% of surveyed users didn’t have (or didn’t know if they had) mobile security on their devices. 


Like so many things that feel like they’ve been part of our lives forever, we don’t give QR codes much thought. Mobile devices have conditioned us to take quick actions — swipe, tap, click, pay — all while we’re distracted by other things like working, shopping and eating. 


This is exactly the kind of implicit trust and thoughtless action cyber criminals thrive on. And it’s why, if mobile employees are using their personal devices to access business apps and scan potentially risky QR codes, enterprise IT should start taking a much closer look at their mobile security approach. 


So What Exactly Are the Risks of QR Codes? 

Hacking an actual QR code would require some serious skills to change around the pixelated dots in the code’s matrix. Hackers have figured out a far easier method instead. This involves embedding malicious software in QR codes (which can be generated by free tools widely available on the internet). To an average user, these codes all look the same, but a malicious QR code can direct a user to a fake website. It can also capture personal data or install malicious software on a smartphone that initiates actions like this: 

Easy Things We Can All Do to Minimise the Risks 

As scary as these exploits are, they aren’t inevitable. Educating people about the risks of QR codes is a good first step, but companies also need to step up their mobile security game to protect against threats like spear phishing and device takeovers. 

What Users Can Do

What Companies Can Do


Hopefully your company is using an on-device mobile threat defence solution that can protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious app downloads. (If not, speak to us, we can help). You need to ensure that any solution is deployed on every device that accesses business apps and data, because enterprise security is only as good as the weakest link in your company. Also, educate users about what it protects against (and what it doesn’t). 


If you do nothing else, now’s the time to consider eliminating password-based access to business and cloud apps, which is one of the top causes of data-breaches today. By shifting to passwordless multi-factor authentication, you not only eliminate the threat of stolen passwords, you also eliminate the hassle of maintaining them — which makes everyone (except cyber criminals) a lot happier and more productive. 


want cyberwhite to feature on your show or in your publication?
Download the Check Point Mobile Security Report 2021