Beware of QR Code Phishing

QR codes have become an integral part of everyday life. Whether you want to store a vaccination certificate in an app, scan a bank transfer, or access web content -- the small square code is everywhere. Using a QR code is straightforward: simply scan it with a QR code scanner or your smartphone camera, and you instantly gain access to the associated service. At first glance, this makes QR codes a convenient everyday tool. However, this very simplicity is exactly what cybercriminals exploit for QR code fraud.

New Scam: QR Codes in Emails or Letters

Fraudsters have numerous ways to access your login credentials. A lesser-known but increasingly common method is QR code phishing. In this type of attack, a manipulated QR code is placed directly within an email. You don't need to download an attachment or click a link -- just scanning the code is enough. For criminals, this approach has a significant advantage: it bypasses many conventional security solutions with ease.

A particularly critical aspect of QR code fraud is that cybercriminals can gain access to your smartphone. The reason is straightforward: while organizations invest heavily in securing their IT infrastructure, most personal mobile devices fall outside this protection. Users generally trust that their phones are safe and rarely have security software installed. Although mobile app pentests can detect such threats, many people remain unaware of the risks.

Since QR code phishing works both in physical and digital form, you should treat QR codes with caution as a matter of principle. In a phishing scenario, the scanned code may redirect you to a fraudulent website that criminals have designed to look authentic. Once you enter your login credentials, attackers can intercept and misuse your data. Whether you notice the fraud immediately depends on the attackers' intent. When bank or financial details are involved, however, the damage usually becomes apparent quickly.

Additionally, QR codes sent via email or postal mail can be used to install malware on your device. Hidden applications give scammers access to your personal data. Since many mobile devices lack adequate security measures, QR code phishing can cause significant harm.

QR Code Scanners: An Underestimated Risk

QR code scanner apps can be conveniently installed from the app store and are useful in many everyday situations. Despite stricter security measures in the stores, cybercriminals still manage to distribute manipulated apps. Even legitimate scanner apps can become a gateway for attacks through the advertisements they display. Using a QR code scanner carries the following key risks:

• Subscription trap: Some providers lure you in with a free trial subscription upon installation and automatically renew it if you don't cancel in time. Since cancellation instructions are often well hidden, unexpected costs can accumulate. While less severe than other forms of fraud, this is still worth protecting yourself against.
• Malware: Apps can install trojans, viruses, or other malware alongside their intended functionality. These programs often run undetected in the background while spying on your data. Manipulated QR code scanners make it easier for criminals to distribute such malware.
• Fraudulent advertising: Even reputable providers can display manipulated advertisements. This problem is especially prevalent in free apps that rely on ad revenue. Such ads can redirect you to fake online stores or present deceptive offers.

Protection Against QR Code Fraud: Tips and Security Measures

To protect yourself from QR code fraud, you should follow a few fundamental security practices. After all, it is nearly impossible to tell from the outside whether an app or QR code has been tampered with.

• After scanning a code, verify that the URL matches the expected website. Watch for typos or unusual character sequences in the address.
• Be suspicious if a website accessed via QR code prompts you to enter login credentials. Such requests frequently indicate a phishing attempt.
• Avoid making payments on websites that you reached through a QR code. Fraud rates are particularly high in this area.
• If you receive a QR code by email or postal mail, exercise caution. With physical letters, check whether the QR code has been pasted over the original.
• Download apps exclusively from the official store and avoid initiating installations via QR codes.
• Use your smartphone's built-in camera to scan codes rather than a separate app. This feature is available on most modern devices and provides an additional layer of protection.

Pentests: Effective Protection Against Fraud

Penetration tests protect you and your organization not only from QR code fraud but also from a wide range of other threats. The specific form of pentest best suited to your needs depends on your individual project.

• Pentests for web applications focus on web technologies and uncover potential attack vectors that could compromise your infrastructure.
• Pentests for mobile applications are designed to identify security vulnerabilities in apps, with a particular focus on the backend systems used for communication.
• Infrastructure pentests examine the security of your critical IT infrastructure, including server systems, VPN solutions, and wireless networks.
• Pentest vs. Red Team Assessment: A Red Team Assessment differs from a traditional penetration test in both its objectives and time investment. Both approaches strengthen your cybersecurity posture, but the right choice depends on your specific requirements. Ideally, the two methods complement each other to deliver a comprehensive improvement in your IT security.

Across all our pentests, we adhere to the most important industry standards to ensure the highest level of cybersecurity. A key foundation is the Penetration Testing Execution Standard (PTES). The cost and pricing for a pentest can vary considerably depending on your existing infrastructure. A direct inquiry allows us to assess the scope in advance and provide a tailored estimate.

Tip: In addition to these specialized test types, the six Linux distributions for penetration testing can help you identify vulnerabilities.