QR Codes: Convenient Digital Tools or Gateway to Cyber Threats?

Tarik Al-Turki, Director of Solutions Engineering at Cisco Saudi Arabia_ssict_1024_1417

By Tarik Al-Turki, Director of Solutions Engineering at Cisco Saudi Arabia

How big of a problem is it, really?

Whether you’re ordering at a restaurant, purchasing a concert ticket, or even joining a WiFi network, QR codes are everywhere in today’s world. As Saudi Arabia embraces digital transformation, QR codes have become essential to its digital ecosystem. From contactless payments to smart city services, they offer convenience and efficiency.

However, with their increasing adoption, QR codes are becoming a target for malicious actors. Their ubiquity and simplicity allow them to bypass traditional security measures, posing risks, especially in emails. Cisco Talos, one of the most trusted threat intelligence research teams globally, has recently published research detailing how attackers are using QR codes maliciously as tools to bypass anti-spam filters. Findings show that 60% of emails with QR codes are spam. While QR codes appear in only 0.01% to 0.2% of global emails, they disproportionately bypass filters and reach inboxes.

Not all emails with QR codes are malicious; many include legitimate uses, such as email signatures or event signups. Still, malicious QR codes often link to phishing pages targeting multifactor authentication credentials. When scanned outside corporate networks, the resulting traffic bypasses security devices, making detection and defense more difficult.

Why Are Malicious QR Codes Hard to Detect?

QR codes embedded in images are challenging for anti-spam systems to identify. They require detection, decoding, and analysis of the embedded data. Attackers exploit this by creating QR codes that evade filters. For example, some attackers use Unicode characters to craft QR codes, further complicating detection.

Sharing malicious URLs safely, a process called “defanging,” involves altering the URL format (e.g., changing “http” to “hxxp”) to prevent accidental clicks. However, defanging is harder with QR codes because they are visual and uneditable. Talos research suggests disabling QR codes by removing their position detection patterns—corner boxes that determine orientation—rendering them unscannable.

Be Careful What You Scan!

According to Cisco Security Readiness Index, 67% of KSA companies have already experienced a cybersecurity incident in the past year. With increased digitization, cyber threats are also heightening.

Security professionals have long advised users against clicking on unfamiliar or suspicious URLs, as they may lead to phishing pages, malware, or other harmful sites. However, many users don’t take the same care when scanning unknown QR codes.

Scanning an unknown or suspicious QR code is equivalent to clicking on a suspicious URL. There’s even a variation of QR codes called ‘QR art,’ a type of QR code designed to resemble artwork, such as a landscape, a plate of spaghetti, or a waterpark, while remaining readable to scanners. This could trick people who wanted to take a picture of art into scanning a QR code and inadvertently navigate them to linked content.

Since QR codes are practically everywhere, from emails to restaurant menus, events, packaging, museums, and public spaces. The best defense is to not scan them. Scanning a QR code is like clicking on an unknown hyperlink without seeing the full URL. However, sometimes it is necessary. Ask yourself, does it look official? Does it look like a scam QR code has been placed on-top of the official one? Yes, that has happened. Exercise caution when you need to.

How to Stay Safe

There are free online QR code decoders. If you can save a screenshot, upload it to the decoder to decode the data and inspect the link. You can also use a malware analysis application like Cisco Secure Malware Analytics to view the URL content safely. This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. Never enter your username and password on an unknown site. Instead, directly navigate to where you want to log in.

Securing Saudi’s Digital Future

As part of its Vision 2030 goals, Saudi Arabia’s focus on building robust digital infrastructure must include raising public awareness about cybersecurity. Encouraging safe practices, such as verifying QR codes and using secure tools like Cisco Secure Malware Analytics, will help protect citizens and businesses in this fast-evolving digital landscape.

—