Subscribe

Cybercriminals target diners using menu QR codes

QR Code Restaurant

The proliferation of QR code menus in restaurants has led to a surge in scams targeting customers for their money and personal data over the past two years, according to anti-phishing company TitanHQ.

Almost 84% of smartphone users have scanned a QR code at least once, while one in three scan a QR code once per week, and the popularity of technology has led to an increase in 'QR code phishing'.

QR codes work by embedding instructions into a black-and-white dot-based images, similar to barcodes on products. The data embedded in the QR code is then translated in human-readable information when the users scans it with their smartphone camera, app or scanning device.

QR codes usually contain web links or links to media such as videos or links to download an app, but the use of links in QR codes provides cybercriminals with the opportunity to performing phishing scams.

Many restaurants switched to using QR code menus during the pandemic as a way to reduce the chances of Covid-19 infection, with customers scanning the barcode with their phone and being presented with an online menu.

In Association with

Scammers take advantage by replacing the restaurant's legitimate QR code with a malicious one that will take customers to a fake website where they can capture their personal data.

TitanHQ, with offices in Galway and Connecticut, recommends behaviour-based security awareness training to limit risks, and for businesses to ensure they include their QR code phishing templates in their simulated phishing exercises so employees understand what such emails look like and the different methods used to steal credentials and other data.

QR Codes Restaurant
Scammers are targeting users through restaurant menu QR codes.

Secondly, TitanHQ recommends use of a DNS filter to break the phishing cycle preventing users from navigating to a malicious website. The filter uses a dynamic system based on a 'threat corpora', based on the data from millions of subscribers, to create a blocklist of websites.

Finally, the firm suggests use of email filters to detect phishing messages.

Other identified QR codes scams include QRL jacking, whereby the attacker initiates a session on a legitimate website, generating the QR code to login before capturing the QR code via screen scraping and embedding it on a spoof site.

The attacker then uses spear-phishing to target an individual, tricking them into going to the spoof site. The target then uses the captured QR code to log-in; this logs into the original session, giving the attacker to a legitimate account.

This scam is more challenging to carry out as it is time-sensitive; however, it will be worth the effort if this is a high-value or sensitive account, according to TitanHQ.

QR crypto-quishing scams, meanwhile, involve the capture of persistent consent (or prior authorisation) to use a crypto wallet, allowing attackers to drain them of cryptocurrency.

There's also Drive-by-QR Code Phishing, whereby victims are sent phishing emails with QR codes that take them to an infected website and their device may become infected with malware as a result.

(Pic: Getty Images)

Sign up to The Business Plus Panel to help shape the business decisions of tomorrow and win vouchers for your opinions! 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram