Election Security Spotlight – Dangers of QR Codes

What It Is

“Quick Response” (QR) codes are a type of barcode that is easy to scan with a mobile device, can store a large amount of data, and enable a user to access information in an instant. QR codes can store data such as URLs, email addresses, phone numbers, network credentials, etc. As it is more and more common for individuals to have a smartphone, the use and scanning of QR codes is growing. 

You may have scanned a QR code recently to accomplish the following:

  • Be directed to a mobile application download
  • Validate an online account and login credentials (e.g., verifying streaming services and connecting those services to your television)
  • Send or receive payment (e.g., Venmo, CashApp, restaurant checks, parking meters, etc.)
  • Access a Wi-Fi network in a public setting
  • View a restaurant menu

While QR codes are truly a source of convenience, it is important to understand that this convenience also comes with some risk. 

Why it matters

With the increased use of QR codes, there has also been an increase in the number of QR scams.  For instance, cyber threat actors (CTAs) are using QR codes as a means of social engineering. Mobile devices are often more accessible to an attacker since smartphones have become a commodity. With QR codes, an attacker can target your device directly.  

Scanning a QR code can be dangerous for the following reasons:

  • Bypass email filters. Email filters typically analyze only text, not images (such as a QR code). Therefore, use of quishing, or QR code phishing emails, is on the rise. Since QR codes are accessible both on desktop and mobile devices, this poses a significant threat.
  • Generally unreadable to the human eye. CTAs can easily place a malicious QR code over a legitimate QR code, as most people will not be able to recognize that the QR code is different simply by looking at it.
  • Can contain malware or direct a user to a phishing website. CTAs can embed a malicious URL into a QR code that either contains malware or directs the user to a phishing website. Using this tactic, they can then extract data from a user’s mobile device or gain access to private information.
  • Initiating other actions. Scanning QR codes can do more than just open a website; it can also generate other activity, such as the addition of contacts to your phone and the composition of emails on your behalf.
  • Collect other information. QR codes can collect other information, such as a user’s location.

In election years, election officials need to be especially cognizant of the risks that QR codes present. During time periods of increased significance, CTAs look to obtain even more information via phishing and other social engineering techniques. While not all QR codes are malicious, it is important to be just as cautious when scanning a QR code as you are with opening an email attachment.

What you can do

Since QR codes truly are prevalent today, here are some recommended best practices to follow:

  • Ensure the QR code is from a trusted source. Consider the source of the code. Use the same thought process for QR codes received via email as you do with opening an attachment or clicking on a link in an email. If you see a QR code in public, consider the setting and look for signs of tampering. Scan the QR code only if you have verified its source.
  • Be cognizant of where a QR code directs you. QR codes are most often used to direct users to a website. The link will usually first appear as an abbreviated URL. Wait to view the full URL, if your QR code scanner provides this, and determine if the website you were directed to is legitimate. Regardless of the resulting URL, please proceed cautiously and use your best judgment to determine if you were directed to a legitimate website.
  • Disable geolocation settings on the QR code scanner on your mobile device. Scanning a QR code can send your location to an application. Before scanning a trusted QR code, turn off the geolocation settings for your personal safety.
  • Disable automatic scanning of QR codes on your mobile device. Many mobile device cameras or QR code scanners will automatically scan QR codes. To prevent accidental scanning of potentially malicious QR codes, disable automatic scanning in your mobile device settings.
  • Use a trusted QR scanner. Some QR scanners have the capability to alert you if a QR code is potentially malicious.
  • Consider an anti-virus/anti-malware service for your mobile device. If scanning QR codes is unavoidable, purchase an anti-virus/anti-malware service that can best protect the mobile device that you use.
  • Avoid payment via QR codes. Usually, you can submit payment through means other than scanning a QR code. Avoid scanning a QR code, when possible, for this purpose to protect your financial information.

Implementing these best practices can help protect you and your secured data.

Please contact us at [email protected] if you have any questions.