QR codes are rising in popularity and use, according to a consumer sentiment study by MobileIron. Sixty-four percent of respondents stated that a QR code makes life easier in a touchless world – despite a majority of people lacking security on their mobile devices, with 51% of respondents stating they do not have or do not know if they have security software installed on their mobile devices.
Mobile devices have become even more important and ingrained in everyone’s lives during the COVID-19 pandemic, and 47% of respondents have noticed an increase in QR code use.
At the same time, employees are using mobile devices – and in many cases, their own unsecured devices – more than ever before to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work from anywhere.
Many employees are also using their mobile devices to scan QR codes in their everyday lives, putting themselves and enterprise resources at risk.
QR codes skyrocketed in popularity and use during the pandemic
- 84% of people have scanned a QR code before, with 32% most recently having scanned a QR code in the past week and 26% most recently having scanned a QR code in the past month.
- In the last six months, 38% of respondents have scanned a QR code at a restaurant, bar or café; 37% of respondents have scanned a QR code at a retailer; and 32% have scanned a QR code on a consumer product.
- 53% of respondents want to see QR codes used more broadly in the future.
- 43% of respondents plan to use a QR code as a payment method in the near future.
- 40% of people would vote using a QR code received in the mail, if it was an option.
Attackers are also capitalizing on security gaps during the pandemic and increasingly targeting mobile devices with sophisticated attacks. Mobile devices are appealing targets for hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information available. Plus, users are often distracted when on their mobile devices, making them more likely to fall victim to attacks.
“Hackers are launching attacks across mobile threat vectors, including emails, text and SMS messages, instant messages, social media and other modes of communication,” said Alex Mosher, Global VP of Solutions, MobileIron.
“I expect we’ll soon see an onslaught of attacks via QR codes. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Or, the hacker could embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials, which the hacker could then steal and use to infiltrate a company.”
QR codes pose significant risks to both end users and enterprises
- 71% of respondents cannot distinguish between a legitimate and malicious QR code, whereas 67% of those surveyed are able to distinguish between a legitimate and malicious URL.
- While 67% of respondents are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email; 20% believe scanning a QR code can start a phone call; and 24% believe scanning a QR code can initiate a text message.
- 51% of respondents have privacy, security, financial or other concerns about using QR codes, but still use them anyway; 34% have no concerns about using QR codes.
- 35% of respondents are unsure whether hackers can target victims using a QR code.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” continued Mosher. “At the same time, they need to prioritize a seamless user experience. A unified endpoint management solution can provide the IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data, while maximizing productivity.
“Organizations can also build upon UEM with a mobile threat defense solution to detect and remediate mobile threats, including malicious QR codes, even when a device is offline.”