Quick response (QR) codes have become an integral part of daily life, with retail, marketing and other enterprise applications. However, they also represent potential security risks.

Restaurants use QR codes to direct patrons to online menus. Businesses are using them for marketing or advertising by connecting customers to discounts, new product releases, returns or refunds and more. QR codes are even making appearances in Super Bowl commercials.

Just point your smartphone at the code, scan it with your camera and click on the URL that pops up to be redirected to the designated landing page. “It’s so easy, a caveman can do it.” But that’s also part of the problem.

Phishing attacks increased 29% globally to a record 873.9 million attacks in 2021. Additionally, there were 316,747 total phishing attacks in December 2021 — the highest monthly total ever recorded. The same report reveals the overall number of phishing attacks has tripled since early 2020.

And now, cybercriminals are incorporating QR code scams into phishing strategies.

How criminals commit QR code phishing attacks 

QR code phishing occurs when a bad actor uses a QR code as a means to trick people into sharing personal or financial information. In Texas, bad actors put stickers with fraudulent QR codes on parking meters to fool drivers into thinking they can pay for metered parking through a “Quick Pay Parking” site. Really, it’s just a setup to steal their credit card information. Scammers in China have placed fake parking tickets on illegally parked cars and direct them to scan QR codes to pay the fine.

E-banking customers in Germany were sent emails containing malicious QR codes designed to access their banking credentials. In the Netherlands, criminals manipulated legitimate QR codes in ING Bank’s mobile banking app to scam users. The FBI revealed this is becoming more common, with cybercriminals targeting both physical and digital QR codes.

Ultimately, whether physical or digital, these scams all share a common goal: to deceive users into offering up personal information. But there are several ways organizations can avoid falling victim to one of these scams.

1. Advise employees to think before they scan

The bad actor is banking on employees scanning the QR code and clicking on the URL without hesitating. That’s how employees get into trouble and put their company at risk.

If an employee receives an email with a QR code, they should check the provided link before diving in headfirst. Make sure the URL lines up with the company or organization it supposedly represents. Be on the lookout for links with spelling or grammatical errors.

If the employee has any doubts, they should report the suspicious email to the company’s security department. It may be nothing at all, but it’s better to be safe than sorry.

2. Provide regular cybersecurity education

The “human element” is involved in 82% of breaches — that’s why cybersecurity training and education are so paramount.

Monthly newsletters that outline the latest trends and tactics performed by cybercriminals and regular training sessions that expose employees to bad actors’ strategies are all helpful tools.

Mistakes happen, but security teams can minimize the risk with preparation.

3. Make MFA mandatory

Multi-factor authentication (MFA) isn’t 100% infallible, but it’s still an absolute must for protecting credentials in the event of a breach.

If a bad actor gets a hold of an employee’s email and password, this safeguard will at least prevent them from automatically gaining access. Even the most basic security measures can mean the difference between leaving the company exposed and thwarting an attack.

Be vigilant about QR codes

QR codes are a simple method of getting users from point A to point B. But their charm is also what makes them a bad actor’s best friend.

As cybercriminals look to further exploit this new attack vector, organizations must remain steadfast and alert and frequently remind employees to keep an eye out for QR codes that appear out of the ordinary.