The proliferation of QR code menus in restaurants has led to an increase in scams targeting customers for their money and personal data over the past two years, according to the anti-phishing firm TitanHQ.
Nearly 84% of smartphone users have scanned a QR code at least once, while one in three scan a QR code once a week, and the popularity of the technology has led to an increase in “QR code phishing” .
QR codes work by embedding instructions in black and white dot-based images, similar to barcodes on products. The data embedded in the QR code is then translated into human-readable information when users scan it with their smartphone camera, app or scanning device.
QR codes usually contain web links or links to media such as videos or links to download an application, but the use of links in QR codes gives cybercriminals the opportunity to perform phishing scams.
Many restaurants have switched to using QR code menus during the pandemic to reduce the risk of Covid-19 infection, with customers scanning the barcode with their phone and being presented with an online menu.
Scammers take advantage of this by replacing the restaurant’s legitimate QR code with a malicious code that will lead customers to a fake website where they can capture their personal data.
TitanHQ, with offices in Galway and Connecticut, recommends behavior-based security awareness training to mitigate risk, and for businesses to ensure they include their QR code phishing patterns in their simulated phishing exercises so that employees understand what these emails look like and the different methods used. to steal credentials and other data.
Second, TitanHQ recommends using a DNS filter to break the phishing cycle preventing users from navigating to a malicious website. The filter uses a dynamic “threat corpus” system, based on data from millions of subscribers, to create a block list of websites.
Finally, the firm suggests using email filters to detect phishing messages.
Other QR code scams identified include QRL jacking, whereby the attacker initiates a session on a legitimate website, generating the QR code to log in before capturing the QR code via screen scraping and l embed on a fraudulent site.
The attacker then uses spear phishing to target an individual, tricking them into visiting the fraudulent site. The target then uses the captured QR code to log in; this logs into the original session, giving the attacker a legitimate account.
This scam is more difficult to pull off because it is time-sensitive; however, it will be worth it if it’s a high-value or sensitive account, according to TitanHQ.
Crypto-quishing QR scams, on the other hand, involve capturing persistent consent (or prior authorization) to use a crypto wallet, allowing attackers to drain them of cryptocurrency.
There is also Drive-by-QR Code Phishing, in which victims receive phishing emails with QR codes that direct them to an infected website and their device may be infected with malware as a result.
(Photo: Getty Images)