Largescale QR code uptake attracts cybercriminals

08 June 2022 Ryan van de Coolwijk at ITOO Special Risks

The huge upswing in online shopping across the globe during the COVID-19 pandemic, coupled with the proliferation of smartphone use over the past few years, has spurred massive adoption of Quick Response (QR) codes.

QR codes are two-dimensional barcodes that can be read and understood by mobile devices and their general ease of use and ability to rapidly transfer information to the user has seen them gain popularity among e-tailers and marketers.

Capgemini’s 2021 World Payments Report shows that of the 700 billion digital transactions made in 2020 around the world, more than a billion were made using a mobile phone, with the research indicating QR codes to be one of the big drivers of mobile payments.

This is certainly the case in South Africa, which has a large unbanked population, but high mobile penetration, making the use of QR codes an ideal solution in a market that has a large appetite for mobile technologies.

A study conducted by Deloitte in 2019 showed that 73% of South African consumers reporting that they are ready to make payments using their mobile phones and merchants saying that by accepting QR payments they typically increased their revenue by 10%.

First developed in 1992, QR codes can be used for everything from accessing information on pieces of mail to viewing restaurant menus. Marketers have used them on billboards, magazines, web pages and any other marketing material to seamlessly communicate information about products and services.

Unlike traditional barcodes that only store and display alphanumeric characters, QR codes can store much more, including complex data such as URLs and can redirect users to almost anywhere on the internet.

But their new found popularity has also seen them become attractive targets for cybercriminals, to obtain users’ sensitive information, or deliver malware to their devices. QR code phishing can be used to steal a user’s credentials, make fraudulent online payments, unlock encrypted voicemails and even initiate phone calls.

This is according to America’s Federal Bureau of Investigation (FBI), which recently issued a warning to users that cybercrooks can easily tamper with both digital and physical QR codes, replacing legitimate codes with malicious ones.

This means that unsuspecting victims then scan what they think is a legitimate QR code, only to be directed to a malicious site, which typically prompts them to enter login and financial information. Access to the victim’s information gives the cybercriminal the ability to potentially steal funds from their accounts.

In addition, malicious QR codes could also contain embedded malware, allowing cybercriminals to gain access to a user’s mobile device and steal their location, as well as personal and financial information. This stolen financial information can then be leveraged to withdraw funds from the victim’s accounts. Despite QR codes not being malicious in nature, users should exercise caution when entering financial information and making payment through a site they were directed to by a QR code.

Generally, users should treat any QR code sent via email with suspicion, as a legitimate sender would have likely sent the actual URL. Sending it in an email is most likely an attempt to circumvent URL scanning solutions, many of which do not currently analyse QR codes.

When dealing with suspect QR codes, users should use their judgement, avoiding offers that seem too good to be true, or ones that create artificial urgency, urging the user to act quickly. Also avoid sites that ask for credentials or, in the case of a printed QR code, ones that look like a second image was pasted over the original.

While cyber security solutions are key to stopping many types of cyberthreats, the end user is ultimately the final line of defence against attackers.

Ryan van de Coolwijk is Product Champion at ITOO Special Risks.

Quick Polls


A recent discussion on the ‘successful intermediary of tomorrow’ offered some tips to help financial and risk advice practices to thrive through 2022 and beyond. Which of the following do you think will give your practice an edge over the competition?


Achieving cost and scale through digitalisation
Offering customisable product solutions to meet customers’ unique needs
Specialising in one advice discipline only
All of the above
fanews magazine
FAnews June 2022 Get the latest issue of FAnews

This month's headlines

A free smoothie does not make a loyal customer
Consequential loss policy court cases
Everything you need to know about death, disability and severe illness cover post-emigration
Are advisers doing all they can for clients’ portfolios?
Financial advisers need help - navigating the complex ESG fund environment
Subscribe now