Why you should think twice before scanning QR Codes
The hidden cyber security risks posed by QR codes
You have probably seen QR code before, whether this is your favourite restaurant asking you to ‘scan to read the menu’ or to ‘check in’ to events. QR stands for ‘quick response’ and refers to the square shaped grid that can be scanned via any modern smartphone or digital device camera to launch a website or app. But are you aware that when you use your digital device to scan these codes you’re potentially putting yourself at risk?
Whilst QR codes are certainly a quick and convenient option for marketers and consumers, potential cyber threats are underestimated. Cyber criminals can embed malicious URLS containing malware that will be downloaded on the victims digital device or redirect the QR code to a phishing website where unsuspecting victims may disclose personal and financial information.
In our fast paced digital world, many of us scan these seemingly harmless codes without a second thought - that's why it's crucial to take a moment and think twice before scanning. By being aware of these potential threats, you can navigate the digital landscape more safely and make the most of the benefits and convenience QR codes offer.
Why are QR codes a cyber security risk?
Research carried out by SecurityHQ has demonstrated a significant increase to QR phishing (or ‘quishing’) emails in 2023. Part of the reason for this increase is that most modern email services have adapted to filter out the majority of spam emails containing malicious URLs, however, they do not have the capability to scan and filter out malicious QR codes. Additionally, many people are completely unaware of the wide range risks posed by QR codes. In his TED Talkon ethical hacking and subverting the internet, magician and hacker Tom London demonstrates how dangerous scanning QR codes can be using his live audience.
Phishing remains the predominant tool of malicious cyber criminals. By using Quishing, hackers are able to obfuscate website URLS by creating a visual QR code. This means that the victim then cannot see the URL and identify potential QR fishing in a mismatch of address to intended location before they scan, making it harder to identify legitimate websites. This is especially prevalent as in these phishing emails threat actors will use techniques to create a sense of stress and urgency, such as a time sensitive alert, leading victims to not be as vigilant as they may usually be.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
In August 2023, researchers in cyber security at Cofense detected an extensive quishing campaign, which targeted a major US energy company. According to this research, attackers were able to send over 1,000 emails, with almost a third (29%) targeting the unnamed U.S. energy company. Additional emails were sent to companies operating in the manufacturing (15%), insurance (9%), technology (7%), and financial services (6%) sectors. The malicious QR Codes redirected recipients to a false landing page designed to mimic the Microsoft 365 login page. In the email the victims were told they needed to update their account settings within three days, creating a false sense of urgency, prompting users to input their login credentials so they could be stolen by malicious actors.
In another particularly disturbing incident in September 2023, cyber criminals were able to redirect a URL associated with childrens cartoon ‘Paw Patrol’ printed on four themed snack products, All Butter and Choc Chip flavored ‘Mini Biscotti Biscuits’ and Raspberry and Apple flavored ‘Yummy Bake Bars’, to redirect to pornographic content. Discount supermarket Lidl were forced to recall the entire range of these snacks. It is unclear how many other retailers were affected, however when TechRadar contacted Lidl GB, we were told ‘this is a branded limited offer product that is not part of our core range and is also stocked by other retailers."
In a public notice about the QR hijacking, Lidl stated: “We recommend that customers refrain from viewing the URL and return this product to the nearest store where a full refund will be given.”
According to TechCrunch, the domain used in the cyber attack is currently registered to a person located in Lianyungang, China, but had previously belonged to Appy Kids Co, the manufacturer of the affected Paw Patrol products. Public records from Companies House indicate that this company was dissolved over a year ago.
In an email to TechRadar Pro, Lidl stated: "As soon as this was brought to our attention, we immediately launched an investigation with the supplier that owns the URL and withdrew the item from sale. As a precautionary measure we have also issued a public recall."
The widespread use of QR codes, while undoubtedly convenient, introduces a notable cyber security risk. In the rapid digitisation of our lives quick-response tools are on the rise, and so is potential for exploitation by cyber criminals. The seamless integration of QR codes into various aspects of our lives, from restaurant menus to event check-ins, makes them an attractive target for malicious activities. Cyber threats, including the embedding of malicious URLs or redirection to phishing sites, underscore the importance of exercising caution when interacting with QR codes.
Vigilance and awareness are key in navigating the digital landscape safely, prompting a reconsideration of the potential risks associated with the seemingly innocuous QR code. However, if your digital device does become compromised with malware there are actionable steps you can take to address the situation quickly and remove it.
The best malware removal software in 2024
If your device is infected with malware from a dodgy QR code, it’s important to remove said malware with a malware removal tool as soon as possible. The best malware removal tools on the market are able to effectively remove viruses, trojans, and ransomware, as well as protect your computer from future attacks. The good news is whilst it is more important than ever to protect your devices than ever it is also easier than ever to install comprehensive and effective protection. The following list outlines our top three picks for comprehensive protection.
1. Malwarebytes - Best protection
If you suspect that you have been infected with malware, Malwarebytes should be your go-to program. It is updated daily so you can trust it will stay on top of new threats as they appear.
Malwarebytes premium includes preventative tools like real-time scanning and specific protection from ransomware. However, the basic (and free!) version is still incredibly effective. The only downside is that the basic version has to be operated manually. We recommend running a scan at least once a week to check for any issues that you haven’t noticed, as well as running if you notice that your web browser has suddenly started behaving differently.
In 2022, Malwarebytes also purchased Adwcleaner, which removes programs that hijack your browser by changing your homepage, resetting your default search engine, or adding unwanted toolbars.
2. Avast Antivirus - Best antimalware and antivirus
Avast Antivirus offers a comprehensive online protection suite, bundling both antivirus and antimalware, that utilizes behavioral monitoring to spot rogue programs, into one software.
If you operate across multiple devices Avast is unbeatable for its availability across mobile devices as well as desktops.
The ‘basic’ Avast plan is free and provides complete protection which can be upgraded to a paid plan that allows you to fine-tune your PC to run better and includes anti-ransomware software and secure file shredding. For business users, there are also paid-for internet security options to cover a range of additional needs.
3. Kaspersky Antivirus - best overall cyber security
Kaspersky Antivirus focuses on the core security essentials and offers a stripped back, streamlined user experience. It features web filtering to block dangerous URLs, an accurate engine that detects and removes threats as well as smart monitoring technologies that track and reverse malicious actions. There are also standout elements including automatic scans, drive-by cryptomining infection prevention, and simplified security management. Though this is more limited compared to additional features offered by competitors, the features it does offer work incredibly well. If you are unlucky enough to be infected by malware we have found Kaspersky is one of the best at blocking malware, and removing it from an infected system.
The interface is incredibly simple to use, balancing the line of not being overly complicated and intimidating for new users. It also features simple, on-screen instructions to explain how everything works.
Picking the right malware removal software
Choosing the right malware removal software is vital for keeping your digital devices secure. Though there are many effective malware removal tools on the market, it is important to identify the right tool for you depending on how you will use the tool.
There are a number of important factors to consider when it comes to selecting the right software for you and making an informed choice.
Budget: Luckily there are incredible options across a huge price range, with many such as Malwarebytes offering comprehensive free coverage, so there's no excuse to not be protected! For personal use often free malware tools offer enough basic protection to keep your data and devices secure at no additional cost. However, for corporate work or if you are handling sensitive information we recommend a more sophisticated software in order to bolster your defense, which often translates to more expensive.
Sensitive data is worth a lot to both your employer and malicious actors due to the damage it can cause by being compromised- so it’s best to invest in both preventative measures and a removal program for the worst case scenario.
Effectiveness: Any reliable malware removal tool will detect and eliminate threats on your device with speed and accuracy. To gauge the efficiency of how the software will work for you, it’s useful to try out multiple options and pay attention to how long the scans take as well as compare how well the tools interface performs on your device. Additionally, consider the impact on your computer's performance. Check if the software puts a strain on your CPU, as some tools might consume considerable resources, potentially slowing down your computer. Striking the right balance between effective threat detection and minimal impact on your device's speed is key.
Additional features: Many companies strive to stand out by packing their programs with extra features, enticing users with added value. These features often go beyond basic malware removal and can significantly enhance your digital security. These may include security tools such as virtual private networks (VPN) service that lets you surf the web privately and anonymously. You may also find some options including integrated password managers that help you organize and secure your online accounts conveniently. Opting for a malware removal tool that bundles these features can be a smart move, saving you both money and the hassle of purchasing separate programs.
Ease of use and user friendly experience: When it comes to choosing malware removal software, it's essential to consider the ease of use, tailoring your experience to how tech savvy you, or the person you are installing the software for, may be. A user-friendly interface can make a significant difference in your overall experience. Take some time to explore the programs by clicking around to see how intuitive the navigation is and ensure you can easily access the features you need. Alternatively, if you prefer a more hands-off approach, test if the software allows for an automatic setup that works seamlessly in the background. Operating software into your digital security toolkit should be a hassle-free experience, and selecting a tool that aligns with your comfort level ensures smoother and more efficient protection.
Customer support: In the event something goes wrong with your programs, it’s good to know there's someone on hand to help. Take the time to evaluate the customer service options provided by each program, considering the channels available for crisis communication. Think about your preferred medium—whether it's email, telephone, or live chat—and ensure the program aligns with your communication preferences. Additionally, assess customer service availability times, a malware attack doesn't wait for office hours, so consider whether the support is available 24/7, during standard business hours, or follows a different schedule. This ensures that assistance is accessible whenever you need it. It’s worth noting that often that customer support is usually reserved for paid users. If you’re opting for a free plan, assess the availability of comprehensive FAQs, forums, and online support communities. While not as direct as personalized support, these resources can provide valuable insights and solutions to common issues, enhancing your overall experience with the malware removal tool.
Addressing malware has become a significant concern on both business and personal devices, with its prevalence escalating each year. This is why it is more important than ever to have malware removal software on hand. Our mission is simple: to be your tech experts. We're your source for tech-buying advice, use, and long-term insight to help you find the best tech and get the absolute most out of it.
We test both free and paid versions of these programs to compile the best options for you to choose from. We check all essential factors including speed, performance, ease of use, pricing, and customer support.
To test for the best malware removal we first set up accounts on each across the leading software platforms whether it was a program download or an online service.
We then test the service to see how the software could be used for different purposes and in different situations. The aim is to push each platform to see how useful its basic tools are. This process also demonstrates how easy it was to get to grips with any more advanced tools, as well as compare free and paid plan options. We also assess how well each platform scored for malware detection, ease of operation, and whether it identified any false positives.
Set up Multi Factor Authentication
Proactively safeguarding the security of your accounts from potential hacking attempts involves incorporating multi-factor authentication (MFA) into your digital security toolkit.
Multi-factor authentication is a verification method that allows a user access to a website or application through a multistep login process. This often involves confirming the login attempt through avenues such as across devices, push notifications or contact addresses. If you frequently use mobile banking you have likely already come across a form of multi-factor authentication.
The National Cyber Security Centre (NCSC) recommends implementing two factor authentication for ‘high value’ accounts and all email addresses. This is because email accounts provide a route for cyber criminals to reset passwords on other accounts. The more accounts that benefit from this additional layer of security, the more robust the defense against potential cyber attacks.
However, with all added layers of security comes more avenues for cybercriminals to exploit. In multifactor authentication fatigue attacks, also known as MFA Bombing or MFA Spamming, malicious actors will persistently send second-factor authentication requests to the victim's email, phone, or registered devices with the aim of pressuring the victim to confirm their identity through notifications. These attacks often result in the depositing of a ransomware software with the intent of stealing sensitive data in order to extort companies and individuals for its return. This process inadvertently authenticates the attacker's attempt to access the victim's account or device. MFA attacks are often preceded by other forms of cyber crime including phishing to gather initial information, creating a foundation for the multi-factor authentication fatigue attack- so be vigilant and protect yourself.
Individuals and organizations alike must adopt rigorous protective measures, including staying informed about the latest phishing tactics, employing robust cyber security protocols, and being cautious about any information shared online.
In addition to using multiple devices or contact addresses for verification, consider incorporating biometric authentication methods like fingerprint or facial recognition. These add an extra layer of personalization and security. Routinely run corporate and personal security audits during which you ensure passwords are not repeated or compromised, run malware scans, check that devices are secure, especially if you have connected to any public Wi-Fi or scanned public QR codes.
By adopting these comprehensive security measures, you contribute significantly to the safeguarding of your sensitive information and digital devices.
Olivia joined TechRadar in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, Windows Central, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.
- Katie BakerFreelance Writer