QR code attacks probably aren’t coming for your scan-to-order menus

QR code-based phishing attacks appear to be on the rise. For this “new” hacking vector, someone gets a phishing email asking them to scan a QR code, that code redirects to a malicious link (usually to steal credentials) and an account takeover occurs. Local news organizations have warned the public to watch out, security leadership publications tell executives to be careful and security companies really, really want you to call it quishing.

To be fair, there have been some notable headlines about it lately. A large-scale version of this against an unnamed “major” US energy company went after Microsoft logins, according to a Cofense report in August. Security researchers have unanimously reported some level of uptick or spike in the attack vector this year. Even the Federal Trade Commission warned consumers of the dangers.

The fanfare around these attacks, however, mostly outweighs the threat of using QR codes in your daily life. Phishing has been, and will likely always be, a prevalent way to trap victims, and what we’re seeing when people talk about QR code attacks is just another way to do that. That’s why despite how the reports may generalize the dangers of QR codes as a whole, some common sense security practices that you already use to avoid phishing can help you avoid this tactic, too. Other, advanced QR-based attack vectors outside of phishing are likely too technically complicated and low reward for bad actors to attempt, or for you to worry about.

Phishing attacks that work by pointing a victim to a malicious link are incredibly common, and QR codes are essentially just another way to execute them. QR codes are “jumping into a security gap,” said Randy Pargman, director of threat detection at security firm Proofpoint. It forces a victim away from their computer and onto a cell phone or another device, adding a level of distraction. Plus, people are more likely to fall for a phishing link on a mobile device, according to Pargman.

The smaller scale makes it harder to tell what’s legit, for example you can’t easily see a full link to point out discrepancies, and we generally tend to feel safer in our handheld world. Scanning a QR code on a phone takes a victim away from their computer. That could mean it has fewer security plugins installed on its browser that would warn you to stay away from suspicious sites, although more browsers have automatic protections against both. Or, if it's taking you from a work device to a personal device, a security team probably supports the computer, but not your cell phone, with extra protections in place to stop you from falling victim. But on the flip side, this is a lot less efficient for scammers to set up. It assumes the victim has access to two devices, rather than just clicking a link.

Plus, people tend to scan the QR codes, even if they’re from an unfamiliar source, because we’re so used to it, according to Fae Carlisle, principal security engineer at cybersecurity company Carbon Black. “People are regularly told to scan a QR code to show them a map of a place, to vote in a competition, to visit Instagram, etc,” Carlisle said. “Because of inherent trust, people go along with it.” Hackers seemingly saw this trend and figured out they could exploit it.

While the application of QR codes to phishing attacks is fairly straightforward, the hype around their use in other malicious vectors mostly ends there. Security professionals advise against scanning unknown QR codes, in the same way you shouldn’t plug a random thumb drive into your device. But, while you should always be on guard to protect against phishing attacks, you don’t really have to worry about using QR codes in your daily life because it’s still rare to see them used as a hacking tactic.

This matters because when we think of QR codes, we don’t usually think of getting them in emails. You’re probably more familiar with them from real world interactions, like a call to action on a flier or a scan-to-order menu at a restaurant. Looking at my own inbox and desktop, the instances of getting a QR code are few and far between, with maybe the exception of some multifactor authentication apps and cross-login for VPNs. Basically, for a hacker going after everyday targets, the less effort the better, and plastering a poisoned QR code all over physical space in the hopes someone will scan it is a whole lot of work, according to Pargman. Bulk sending phishing emails is just a heck of a lot more efficient.

While it’s also possible to imagine a link takeover situation, where the destination of legitimate QR codes is redirected to a malicious URL, that really hasn’t been seen yet. Not only is it a lot of effort, but it would require an attacker to identify a widely-used QR code. That would mean sourcing the code information, and then hoping it was worth the work. “Quishing” may be legit, but avoiding QR codes at all costs probably goes a step too far.

If something seems off about scanning a QR code, pause before proceeding. “If you're scanning a menu of the restaurant's and it's asking you to login to your Gmail account to access the menu, that's a highly unexpected step,” said Olesia Klevchuk, product marketing director at security company Barracuda Networks. “Those are the kinds of things we want to be on the lookout for.” But if you just want to learn more about an exhibit at a museum or have a contactless check-in at the gym, you probably have nothing to worry about.