COVID-19 ISO Insights

The Use of QR Codes Has Picked Up During COVID-19: What are the Cyber Risks?

November 16, 2020

By: David Geller, CPCU, SCLA

Many businesses have been forced to adapt in response to the COVID-19 pandemic, largely to minimize contact between different parties and limit potential exposure to the virus.

This has contributed to various trends. One example: The emergence of QR (quick-response) codes.

A mobile marketing company that operates an online QR code generator and also assists companies with implementation told Wired back in August that they had seen “a 25-fold increase in sign-ups from restaurants in June compared to February, and sevenfold increase in sign-ups from hotels.”

The use of QR codes has extended beyond just restaurants and hotels. Wired also reported that QR codes have been used to assist with contact tracing, as well as being pasted in different offices to keep employees advised of updates on procedures and processes. Per NBC Bay Area, an airport parking lot in California is using QR codes too.

In addition to reducing the number of people touching physical items and perpetuating spread of COVID-19, QR codes are also perceived as convenient. With the simple use of a phone camera, an individual can quickly be brought into a specific digital space. Additionally, per Wired, the information that QR codes can bring an individual to can be updated with ease.

While this ease of access and potential limitation of virus spread has been beneficial this year, the price of this convenience may be in the form of enhanced cyber risks.

QR Codes: How are Cyber Risks Involved?

A blog post on Malwarebytes Labs in 2019 described some of the risks involved with the use of QR codes, even before the COVID-19 outbreak. Some examples cited in the post include:

  • The Netherlands Police Department alerted the public in 2019 of a QR code scam in which criminals were able to extract tens of thousands of euros from victims through social engineering techniques.
  • There were reports coming out of China that individuals who attempted to unlock bikes – through QR codes - provided by bike-sharing companies were also victimized. In these cases, per the post, criminals replaced the QR codes on numerous bikes so that users would mistakenly be paying the criminals for the bike use, not the bike-sharing provider. Ultimately, when the bike never unlocked, the victims just gave up, not realizing until later they were being defrauded. This example is noteworthy given that e-scooters, which have grown popular in the United States, also use QR codes for the rider to unlock the scooter.
  • Additionally, there were also “reports of QR codes that were rigged to download malware onto the victim’s device.”

Perhaps making these schemes easier to perpetuate is the general inability for people to recognize what a compromised QR code looks like. For example, NBC Bay News reported on a survey of 2,100 phone users in which 71% of them conceded they wouldn’t be able to spot a malicious code.

While QR codes have become more prevalent during COVID-19, the possibility exists that their use will persist past the pandemic - whenever that may be - heightening the urgency for enterprises and individuals to understand the cyber risks that may correspond with its use.