5 Examples of Real-World QR Code Attacks
QR codes have become an essential part of our daily lives, making things like checking menus, getting discounts, and verifying product authenticity easier. However, their increasing popularity has also made them a target for cybercriminals. In this article, we will explore real-life instances of QR code attacks and their implications for users.
Quick Response (QR) codes have become ubiquitous in our daily lives. We scan them to check menus at restaurants, get coupons at grocery stores, and verify legitimacy for products. However, cybercriminals have begun exploiting QR codes for phishing attacks by targeting unsuspecting users.
QR phishing, also known as quishing, tricks victims into scanning a malicious QR code that links to a fake website or downloads malware. The QR codes often appear trustworthy, posted on flyers, advertisements, or products by bad actors impersonating legitimate businesses. When scanned by a smartphone camera, the code executes with no indication to the user that redirection to a malicious site has occurred.?
While not directly related to QR code phishing itself, we will share 5 recent examples of QR code attacks below to demonstrate their potential dangers.
Hackers Abuse QR Codes in Tea Shops to Deploy Malware
In May 2023, a woman visiting a bubble tea shop unwittingly scanned a QR code that appeared entirely legitimate. Little did she know that this seemingly harmless action would result in the download of a malicious application, granting hackers unrestricted access to her phone's applications, microphone and camera.?
With these permissions, cybercriminals were able to spy on her activities, record sensitive information, including her banking credentials, and subsequently steal $20,000 from her accounts.
Washington University in St. Louis Members Targeted
In September 2023, Washington University in St. Louis published a blog post about a phishing campaign. The campaign used malicious QR codes to target WashU community members. When the QR code in the phishing email was scanned, it redirected the victim to a fake WUSTL Key login page.?
The page asked for login credentials, which the attackers would then use. The attackers also threatened to terminate the recipient’s account if they didn’t scan the QR code. Luckily, the information security team at WUSTL quickly alerted the community. This incident highlights the fact that QR phishing is targeting educational sectors as well.
QR Code Scams After Victim Loses £13k to Scammers
In November 2023, another distressing case took place, a 71-year-old woman at Thornaby Station in Teesside fell victim to a QR code scam, resulting in a loss of £13,000. The scammers placed a fake QR code over a legitimate one on a car parking sign.?
领英推荐
After scanning the code and entering her card details on a fraudulent website, her transaction was initially blocked by the bank. However, the fraudsters then impersonated bank staff, convincing her to take out a £7,500 loan. They subsequently altered her banking details, ordered new cards, and set up an online account, leading to the removal of all QR codes from TransPennine Express car parks.
Energy Industry Targeted by 2FA Expiring Email
In November 2023, a targeted phishing email was sent to a company operating in the industrial and energy industry. This deceptive email included a QR code that, when scanned, directed the recipient to a fraudulent website designed for phishing purposes. The intention of the scam was to deceive the recipient into believing that their two-factor authentication (2FA) was set to expire, coercing them to scan the QR code for renewal.
It's important to note however, that Microsoft does not communicate such expiration notices. It is also worth mentioning that the example provided in the email contained grammatical errors, further indicating its fraudulent nature.
Municipal Services Warns of Scam Involving QR Codes
During January 2023, Singapore's Municipal Services Office (MSO) issued an alert about a scam involving a fake QR code posing as its OneService Lite QR code. This fraudulent QR code was discovered in HDB estate lift lobbies in Bukit Batok.?
It directed users to a phishing site soliciting personal information such as name, email, contact number, and address. MSO, in collaboration with town councils, initiated checks and investigations and advised the public to verify website addresses before submitting personal information. They reassured the public that genuine QR codes from OneService channels lead to "gov.sg" domains.
Next Steps For Protection Against QR Code Attacks
QR code attacks are an emerging cybersecurity threat that can cause real damage if employees aren't prepared. We offer a solution - our Quishing Simulator helps transform cybersecurity training by simulating over 600 attack scenarios.
With printed simulations, custom templates, adjustable difficulty levels, and regular content updates, our simulator boosts threat detection skills. Employees can safely learn how to spot and prevent dangerous QR code phishing attempts.
We invite you to book a demo of this innovative simulator. Now is the time to get ahead of the QR code threat curve. Along with the demo, you can also sign up for a 20-day free trial of our Awareness Educator Simulator, which educates employees on common social engineering phishing threats.