Penetration TestJan Kahmen8 min read

Beware of QR Code Phishing

Since QR code phishing works both analog and digital, you should not place unlimited trust in QR codes.

Table of content

QR codes can now be found in more and more areas of everyday life. Whether you want to store a vaccination certificate in one of the many Corona apps, scan a bank transfer or call up web content - the square code is used everywhere. The way the QR code works is very simple: all you have to do is scan it using a QR code scanner or your cell phone camera - then you can access the service offered. At first glance, this makes the code a valuable companion in everyday life. At the same time, the very ease of use invites cybercriminals to commit QR code fraud.

New Scam: QR Codes in Mails or Letters

There are many ways for fraudsters to access your login data. A lesser known and newer method is QR code phishing. This is a form of QR code fraud that can be placed directly in an email. You don't have to download an attachment or click on a link, just scan the QR code. For criminals, such QR code scam has the advantage that many security solutions can be bypassed quickly and easily.
A major problem with QR code fraud is that cybercriminals gain access to your smartphone. The reason is simple: while companies have numerous security measures in place, most mobile devices are not part of the protected infrastructure. Most users trust that their phones are safe and have no software to warn them. Although mobile app pentests can detect such a threat, many users are unaware of the potential dangers.
Since QR code scam works both analog and digital, you should not trust QR codes without limits. In QR code phishing, then the small square leads them to a fake website, for example. Criminals prepare these websites so skillfully in advance that they look deceptively real. If you then enter your login data for your accounts or other services, the fraudsters have an easy job. This is because cybercriminals can intercept your input and steal your data. Whether you notice the QR code fraud directly depends on what the attackers have planned. However, if it is the entry of your bank or financial data, the fraud quickly becomes obvious.
Alternatively, QR codes sent via email or postal mail can be used to install malware. Hidden applications allow the scammers to access your mobile devices. The result is that you can read your personal data. Since many places lack the necessary security measures for mobile devices, QR code scam can have devastating consequences.

QR Code Scanner: An Underestimated Risk

QR code scanner is a way to retrieve QR code content. Such scanners can be conveniently installed via the app store and help in many everyday situations. Despite tighter security measures in the stores, cybercriminals may provide the often free apps. Even legitimate offers can contribute to QR code phishing due to the ads they display. The following risks are associated with the use of a QR code scanner:

  • Subscription trap: The subscription trap hides in many areas - also in the QR code scanner. Some providers offer you a trial subscription upon installation and automatically extend your subscription if you do not cancel it. Since the notices in this regard are often well hidden, you incur unexpected costs. Although this can also be a QR code scam, the consequences are less devastating than in other scenarios. Nevertheless, you should protect yourself as much as possible.
  • Malware: A common problem with apps is that they can install Trojans, viruses or other malware along with the actual application. These programs are often undetectable, but can still spy on your data. QR code scam makes it easier for criminals to install such content on your device.
  • Advertisements: fraudulent advertisements and QR code scams can occur even on reputable providers. Nevertheless, you can find such content more often on the free offers that are financed by ads. The superimposed ads are an important source of danger and can redirect you to fake stores or make fraudulent sales offers.

Protection Against QR Code Fraud: Tips and Security Measures

To prevent QR code fraud, it is important that you take the necessary security measures. After all, it's almost impossible to tell which app may bring dangers or which QR code is designed to commit fraud.

  • When scanning a code, check whether it actually calls up the desired website. Pay attention to the URL - it should not contain typos or incorrect letters.
  • You should be skeptical as soon as you enter a website via the QR code and are asked to enter your login details. Often, these are QR code scams that can lead to huge financial losses.
  • Refrain from making payments on websites that you access via a QR code. This is where QR code fraud is especially common.
  • If you receive a QR code by email or by mail, it may also be QR code fraud. Therefore, with letters, pay attention to whether the QR code has been pasted over.
  • It is best to download apps directly from the official store. Refrain from starting the installation via a QR code to protect yourself from QR code scams.
  • Use your smartphone's camera to scan a code instead of a separate app. This feature is available for most smartphone cameras and protects you from unwanted QR code fraud.

Pentests: Effective Protection Against Scam

So-called pentests protect you and your company not only from QR code fraud, but also from potential malware. What exactly the IT security penetration test looks like depends on your specific project.

  • Pentests for web applications focus on web technologies. This makes it possible to identify potential attack vectors that can threaten your infrastructure.
  • Pentests for mobile applications are designed to detect problems with apps. They focus on the backend system used for communication.
  • Infrastructure pentests, on the other hand, check the security of your critical IT infrastructure. This includes, for example, server systems, VPN systems and WLAN networks.
  • Pentest vs. Red Team Assessment: The Red Team Assessment differs from the classic penetration test both in terms of objectives and time required. In principle, both options provide you with additional cybersecurity, but it depends on your individual requirements which approach is appropriate. Ideally, however, the two test methods should go hand in hand to significantly increase your IT security.

For all pentests, we take care to adhere to the most important standards in order to contribute to the greatest possible cybersecurity. One basis for this is the PTES. Here we have explained the Penetration Testing Execution Standard (PTES) in simple terms. The cost and pricing for a pentest can vary greatly depending on the infrastructure at hand. A direct inquiry allows to estimate the necessary effort in advance and to calculate both accordingly.
Tip: In addition to these specialized test variants, the six Linux distributions for penetration testing can help you identify vulnerabilities.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: