Originally devised in 1994 to help track car parts through the manufacturing process, the QR code is having a moment three decades on - but not for welcome reasons.
Alongside a rise in scam QR codes pasted up in car parks and over legitimate ones in restaurants, cybercriminals are turning to the codes as a way to slip past corporate cyber defences.
Reports of QR code fraud, or "quishing", doubled in the year to August 2024, according to Action Fraud.
Banks including Santander, HSBC, and TSB issued a warning about the increasing use of the codes, alongside Britain’s National Cyber Security Centre (NCSC) - blaming the current rise of the increased adoption of the codes in the wake of the pandemic.
The appeal for cybercriminals is that the codes can bypass corporate antivirus defences and users are less wary of QR codes than they are of links to websites or shortened URLs, Jeremy Fuchs, cyber security researcher at Check Point Software, tells The Stack.
Fuchs says: “When a user scans the QR code with their device, it automatically decodes the embedded URL. It directs them to the malicious site, making it difficult for recipients to recognise the threat.
“Using QR codes instead of links also makes quishing attacks harder to detect. Most traditional email security tools can scan the text of a message for suspicious URLs, flagging them as potentially dangerous. Quishing, by contrast, uses images containing QR codes, which standard security systems struggle to analyse and filter. Extracting URLs from QR codes requires specialised scanning capabilities that many email filters do not yet possess, leaving users more vulnerable to this type of phishing attack.”
The rise of quishing
Cybercriminals are already using the attacks in large volumes, with security vendor Barracuda saying it had recorded half a million attacks using QR codes.
Separate research by McAfee suggested that a fifth of all online scams now originate from QR codes.
Previously, criminals tended to embed QR codes directly in emails, but now tend to put them in PDFs to make them harder to detect, Barracuda says.
Criminals often mimic the language of corporate security to target enterprises, asking recipients to scan a code to view files, sign documents or listen to voice messages, the firm said.
Attackers are also using advanced tactics to make quishing attacks more effective, says Chris Fuller, Senior Director of Technical Field Operations at Obsidian Security.
Fuller says, “For example, many attackers host phishing sites on Cloudflare, using its Turnstile captchas to block automated scanning, which complicates threat detection. Obsidian’s recent observations reveal that 77% of phishing sites are hosted on Cloudflare, making it harder for automated tools to verify link authenticity.
“These approaches make phishing attacks more successful by exploiting the limitations of conventional detection mechanisms.
Obsidian’s research found that 93% of spear-phishing attacks and adversary-in-the-middle compromises succeeded. In 15% of cases, QR code attacks even succeeded with multiple email security solutions active at the same time.
Evolving criminal tactics
The widespread use of QR codes has led to a decrease in caution around the technology, which is now being exploited by cybercriminals, says Julian Brownlow Davies, Global Vice President of Advanced Services at Bugcrowd:
Brownlow explains that the impact of one employee scanning a "wrong" link can be significant for enterprises - and because there is no way to "preview" the results of scanning a QR code, employees are more likely to visit fraudulent links.
Brownlow says: “A single successful scan can lead to unauthorised access to corporate networks, data breaches, or the installation of ransomware.
“The cross-platform nature of QR codes means that any device with a camera—smartphones, tablets, or laptops—is a potential entry point for an attack, amplifying the risk across the organisation."
Brownlow advises a proactive and multi-layered approach to defence.
He adds: “Employee education is critical; staff should be trained to verify the source of QR codes and understand the risks associated with indiscriminate scanning.
“Developing and enforcing strict policies regarding the use of QR codes in corporate communications can help minimise exposure. Additionally, investing in advanced security solutions that can detect and analyse QR codes within emails and documents will enhance the organisation's defensive capabilities.”
