'Quishing' scams dupe millions of Americans as cybercriminals turn the QR code bad

What caught my attention is Fongfong2 | Istock | Getty ImagesQR codes were once a quirky novelty that mpted a fun scan with the phone

Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more the eating habits of the woolly mammoth or military strategies of Genghis Khan, amid market uncertainty

During the pandemic, QR codes became the default restaurant

However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity. "As with many nological advances that start with good intentions, QR codes have increasingly become targets for malicious use

Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous," said Dustin Brewer, senior director of active cybersecurity services at BlueVoyant

Brewer says that attackers exploit these seemingly harmless to trick people into visiting malicious websites or unknowingly private information, a scam that has become known as "quishing, in today's financial world. "The increasing prevalence of QR code scams mpted a warning from the Federal Trade Commission earlier this year unwanted or unexpected packages showing up with a QR code that when scanned "could take you to a phishing website that steals your personal information, credit card numbers or usernames and passwords

It could also download malware onto your phone and give hackers access to your device (quite telling), considering recent developments. "State and local advisories this summer have reached across the U (noteworthy indeed) (noteworthy indeed)

On the other hand, , with the New York Department of Transportation and Hawaii Electric warning customers avoiding QR code scams

This tells us that appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest. "The crooks are relying on you being in a hurry and you needing to do something," said Gaurav Sharma, a fessor in the department of electrical and computer engineering at the University of Rochester

On the rise as traditional phishing failsSharma expects QR scams to increase as the use of QR codes spreads (something worth watching)

Another reason QR codes have increased in ity with scammers is that more safeguards have been put into place to tamp down on traditional phishing campaigns

A study this year from cybersecurity platform KeepNet Labs found that 26 percent of all malicious links are now sent via QR code

Nevertheless, According to cybersecurity company, NordVPN, 73% of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites. "The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener," Sharma said

Sharma is working to develop a "smart" QR code called a SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams, considering recent developments

But first, he needs buy-in from Google and Microsoft, the companies that build the cameras and control the camera infrastructure

Companies putting their logos into QR codes isn't a fix because it can cause a false sense of security, and that criminals can usually simply copy the logos, he said

Some Americans are wary of the increasing reliance on QR codes. "I'm in my 60s and don't using QR codes," said Denise Joyal of Cedar Rapids, Iowa (this bears monitoring), amid market uncertainty. "I definitely worry security issues

At the same time, I really don't it when one is forced to use a QR code to participate in a motion with no other way to connect

I don't use them for entertainment-type information, in this volatile climate

On the other hand, "Institutions are also trying to fortify their QR codes against intrusion

Additionally, Natalie Piggush, spokeswoman for the Children's Museum of Indianapolis, which welcomes over one million visitors a year, said their IT staff began upgrading their QR codes a couple of years ago to tect against what has become an increasingly significant threat

Additionally, "At the museum, we use stylized QR codes with our logo and colors as opposed to the standard monochrome codes

Additionally, We also detail what users can expect to see when scanning one of our QR codes, and we regularly inspect our existing QR codes for tampering or for out-of-place codes," Piggush said

Museums are usually less vulnerable than places train stations or parking lots because scammers are looking to collect cash from people expecting to pay for something (an important development)

Moreover, A patron at a museum is less ly to expect to pay, although Sharma said even in those settings, fake QR codes can be deployed to install malware on someone's phone, in light of current trends

Apple, Android user trust is an issueQR code scams are ly to hit both Apple and Android devices, but iPhone users may be slightly more ly to fall victim to the crime, according to a study earlier this year by Malwarebytes

Users of iPhones expressed more trust in their devices than Android owners and that, reers say, could cause them to let down their guard

However, Malwarebytes reer David Ruiz wrote that trust could have an adverse effect, in that iPhone users do not feel the need to change their behavior when making online purchases, and they have less interest in (or may simply not know ) using additional cybersecurity measures, antivirus (which is quite significant)

Additionally, Fifty-five percent of iPhone users trust their device to keep them safe, versus 50 percent of Android users expressing the same sentiment, in today's market environment

Low investment, high return hacking tacticA QR code is more dangerous than a traditional phishing because users typically can't read or verify the encoded web address

Even though QR codes normally include human-readable text, attackers can modify this text to deceive users into trusting the link and the website it directs to

The best defense against them is to not scan unwanted or unexpected QR codes and look for ones that display the URL address when you scan it, given current economic conditions

Brewer says cybercriminals have also been leveraging QR codes to infiltrate critical networks. "There are also credible reports that nation-state intelligence agencies have used QR codes to commise messaging accounts of military personnel, sometimes using software Signal that is also open to consumers," Brewer said, in light of current trends

Moreover, Nation-state attackers have even used QR codes to distribute remote access trojans (RATs) — a type of malware designed to operate without a device owner's consent or knowledge — enabling hackers to gain full access to targeted devices and networks

Moreover, Additionally, Still, one of the most dangerous aspects of QR codes is how they are part of the fabric of everyday life, a cyberthreat hiding in plain sight (quite telling). "What's especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily commised

Moreover, Attackers can simply their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception," Brewer said

On the other hand, Rob Lee, chief of re, AI, and emerging threats at the cybersecurity training focused SANS Institute, says that QR code commise is just another tactic in a long line of similar strategies in the cybercriminal playbook, amid market uncertainty. "QR codes weren't built with security in mind, they were built to make life easier, which also makes them perfect for scammers," Lee said (something worth watching), given current economic conditions. "We've seen this playbook before with phishing s; now it just comes with a smiley pixelated square

On the other hand, It's not panic-worthy yet, but it's exactly the kind of low-effort, high-return tactic attackers love to scale. "watch now10:1210:12How deepfake job seekers are using AI to steal jobsCNBC Digital Original.