How Data Brokers Collect & Sell Your QR Code Logins

Cybercriminals don’t steal your QR codes in the traditional sense. Instead, they create fake QR codes and trick the target user into logging in, then steal their login credentials. This type of cyberattack is called quishing, i.e., QR code phishing. 

Signing into a QR code doesn’t always sound like a cyberthreat. This makes it among the most common ways for data brokers and hackers to collect and sell your QR code logins. However, quishing threats are avoidable. This guide will walk you through what quishing or QR phishing is, if it can steal your passwords, and how to prevent a QR code login scam. 

Is QR Code Login Secure?

QR code logins are often considered secure. However, its security depends entirely on the implementation and the user’s awareness of safely using QR codes to log in. It is more secure than passwords but comes with its own risks. 

Reasons Why QR Code Logins Are Considered Secure

Before getting to the risks, here are the reasons why it’s considered secure:

• Eliminates Password Vulnerabilities: QR codes remove the need to manually type a password. This prevents common threats like phishing scams, keystroke-logging malware, and password reuse risks.
• Relies on the Mobile Device’s Security: This method shifts the main security checkpoint to your smartphone. Meaning, data security relies on your phone’s own protections, such as biometric locks.
• Single-Use Codes: Each QR code is generated for a single login session and expires quickly. It would be invalid if someone else used the code.
• Secure and Direct Server Link: The verification process is handled through a private, encrypted channel that connects your phone directly to the service provider’s systems. The computer you’re logging into is just a conduit and does not see or handle your login credentials.

Can You Get Phished With a QR Code?

ReliaQuest research indicates that by September 2023, 51% of all phishing attacks involved QR codes. That said, yes, you can get phished with a QR code. This is a growing phishing threat since people are still less cautious about scanning a code than clicking a suspicious link. 

Before getting to the risks, it’s vital to understand how QR code phishing works. An attacker sends you a QR code via email, text message, or any other medium. The message, similar to a scam link message, creates urgency or offers something too good to be true. 

Scanning the code redirects you to a fake website designed to look like a legit page. The attacker steals the credentials right when you enter them. At times, the code might trigger an automatic malware download on your device.

QR Code Login Security Risks

QR codes are often used by scammers to steal login credentials. Here are the QR code login security risks: 

• You can’t see the URL until after you scan. There’s no upfront way to spot a malicious link. 
• People are often conditioned to scan codes without suspicion. It feels like a quick, modern, and direct action that’s less risky. 
• QR codes can bypass email security filters that typically block malicious links because the URL is embedded in an image. 
• Attackers craft fake sites that look like desktop logins to exploit the disconnect between your phone’s scanner and what you see on its screen. This makes the scam less obvious.

How Common Are QR Code Phishing Attacks?

QR phishing threats are a rapidly growing threat. It now represents a significant portion of the phishing landscape. This section covers stats about the quishing (QR Phishing) attacks and what makes them more prevalent now. 

• According to Keepnetlabs, in 2023, senior executives were targeted by QR code phishing attacks at 42 times the rate of the average employee. 
• Anti-Phishing Working Group (APWG) reported that the use of QR codes in phishing emails surged by nearly 1,000% from the last quarter of 2023 to the first quarter of 2024.
• Security firms like Cofense and Check Point routinely document global campaigns targeting millions of users with QR codes. These often impersonate major services like Microsoft, Google, and banks.

Why Quishing Attacks Are Growing Prevalent

QR phishing wasn’t as common as it is now. It is mainly due to their ability to bypass basic security checks, since the link is embedded in an image, and the higher use of QR codes. Along with that, here are the common reasons why Quishing is growing prevalent: 

• Bypasses Email Filters: Most email security gateways scan links but not images. QR codes are images with the link embedded in them. This enables the QR code to slip through. 
• Cross-Device Deception: Scans happen on phones, but the fake page is designed to look like a desktop login. This device mismatch confuses the user and makes the scam less obvious. 
• User Trust in QR Codes: People often believe that scanning QR  codes is safer. And, scanning a QR code is now common for accessing the menu, WiFi, or proceeding with payments. This behavior, combined with less suspicion on codes makes them more effective attacks. 
• Easier to Target Smartphone Users: QR codes are easier to scan for smartphone users as more people primarily use smartphones for email. QR codes are a more natural, clickless way to direct them to a malicious site.

What Is the Safest Way to Scan a QR Code?

The safest way to scan a QR code is to use your phone’s built-in camera app. It’s best to avoid the third-party scanners and always verify the URL before tapping on anything. This may result in unintended malware installation. 

Safest Ways to Scan a QR Code

Here are the best practices for safely scanning QR codes: 

• Use the Device’s Built-in Camera: We recommend using your device’s built-in camera, i.e., the default camera app. It has built-in security and shows a preview of the link before opening. 
• Verify the URL: Verify if the page is legit before tapping on anything. Check if it looks legit and if there are any spelling errors or messages that spark urgency. 
• Beware of Tampering: Don’t scan codes that look flooded with ads and stickers. Scammers often place malicious code over these stickers or redirect you via the ads. 
• Avoid Suspicious Links: Be cautious with the QR codes from emails, social media posts, or any random ads. 
• Don’t Share Sensitive Information: Avoid sharing any personal details, such as your account credentials and password. 
• Verify the Source: Ensure that you only scan QR codes from reliable brands or businesses rather than any random QR code that you saw online. 

FAQs – QR Code Login Scam

Final Note

QR code login scams are growing prevalent due to various reasons, such as less awareness about QR code scams and the ability of these codes to bypass scam filters. The URL is embedded within the image, making it difficult for filters to catch the embedded link. 

One of the best ways to prevent QR code login scams is to set a strong password, avoid scanning random QR codes and not sharing your sensitive information even if required.