How often do you scan QR codes without thinking twice? What if this seemingly harmless behaviour exposed you to a growing digital threat?
QR codes, or quick response codes, have grown in popularity and are now an essential tool in today’s digital landscape. Initially created for industrial tracking, their convenience has turned them into a key component of information sharing and digital transactions. The transition to cashless payments in the smartphone era has accelerated their widespread adoption, making them the preferred method for facilitating transactions, as well as accessing online services.
According to the 2024 CCAPAC report, QR codes have become a crucial part of digital payments, authentication, and business operations across the Asia-Pacific (APAC) region. Singapore’s financial institutions, retailers, and service providers rely heavily on QR codes to enhance customer experiences and streamline processes. However, their growing adoption has also attracted cybercriminals, who are increasingly using AI-driven fraud techniques to exploit QR-based transactions.
There are two types of QR codes: dynamic QR codes, which can be updated frequently but are susceptible to cyberattacks; and static QR codes, which remain unchanged but may still be targeted by cybercriminals. While both formats are useful, their vulnerabilities make them an easy target for cyberattacks. AI-powered fraud techniques have progressed, enabling attackers to modify QR codes, divert transactions, and steal sensitive data.
How cyberattackers carry out QR code attacks
Individuals and businesses alike can learn from these vulnerabilities, and understanding how they are exploited can help them protect themselves. The steps below show how a seemingly harmless scan can result in data theft and financial damage.
- Creation of malicious QR codes
Cybercriminals generate deceptive QR codes that take users to fake websites or trigger automated malware downloads, compromising device security. - Social engineering tactics
Attackers use persuasive messages, including urgent security alerts or exclusive offers, to manipulate users into scanning malicious QR codes. - Multiple distribution channels
Phishing emails, fake ads, and physical materials such as posters and flyers are all used to distribute malicious QR codes. Cybercriminals employ these tactics to attack victims both online and offline. - Camouflaging for deception
Malicious QR codes are designed to look legitimate by imitating branding, logos, and other design elements. This makes it difficult for users to distinguish them from legitimate ones. - Redirection to fake websites
After being scanned, victims are directed to fake websites that harvest sensitive credentials such as usernames, passwords, and financial information. - Data theft and unauthorised access
Cybercriminals collect personal information entered on fake websites. This can lead to identity theft, financial scams, or unauthorised access to user accounts.
Raising cybersecurity standards in Singapore
The increasing sophistication of cyberthreats in APAC, particularly in financial services, has resulted in a surge in QR code-related scams and identity theft. According to the Singapore Police Force, scam and cybercrime cases increased by 18% in the first half of 2024. In response, the Monetary Authority of Singapore (MAS) revised its E-Payments User Protection Guidelines to include stricter security protocols to protect consumers and businesses from unauthorised transactions. Regulations include:
- Real-time fraud alerts for high-risk activities, such as adding new payees or increasing transaction limits.
- A kill switch that allows users to instantly block their accounts if they suspect fraudulent activity.
- Restrictions on QR codes in SMS and emails — financial institutions can no longer send clickable links or QR codes through these channels unless the user is expecting them, and they must not lead to login pages or payment transactions.
Best practices for preventing QR code-based cyberattacks
While government policies strengthen cybersecurity efforts, it is still important for individuals and businesses to stay alert so they don’t fall victim to QR code scams.
- Update systems regularly: Regularly installing the latest security patches minimises vulnerabilities and reduces exposure to attacks.
- Enable multi-factor authentication (MFA): This adds an extra layer of protection against unauthorised access.
- Use QR codes with caution in digital communications: Avoid scanning codes in unsolicited emails or dubious documents without first checking their legitimacy.
- Use web filtering and security software: Prevent malware threats by blocking access to malicious websites.
- Stay up to date on emerging threats: Stay up to date on cybersecurity trends to spot emerging QR code scams.
