As the UK gears up for the summer event season, the Cyber team at QuestGates warns that cybercriminals are increasingly likely to target the hospitality and events industries due to their accelerated use of QR codes as a result of the pandemic.
Head of Cyber and Financial Lines, Will Gow, says: “Cybercriminals will always look for the easy option of stealing data or money. Because so many hospitality and event companies were under pressure to get trading again as quickly as possible as Covid restrictions eased, many of the companies supplying QR codes did not adequately consider protection measures. Given the relative ease of accessing and stealing customers’ data and bank account details, we’ve seen a rising trend over recent months in the number of compromises involving QR codes”
Faced with the need to maintain social distancing due to Covid restrictions, bars, restaurants and events needed to find a simplified way to allow customers to order and pay. QR codes provided that simple solution and this saw an onslaught of tech start-ups selling codes quicker than they could generate them with seemingly few questions about what cybersecurity measures were in place.
Gow continues: “Many businesses in the hospitality and events industries have integrated QR codes into their day-to-day operations, but unfortunately don’t realise how easy it is for a cybercriminal to replicate a code and simply stick a fake look-alike over the top of a physical code or hack a virtual code via a compromised unsecured site. When a customer unknowingly scans the fake code, they are re-routed to a convincing clone site and unwittingly provide all their personal details to the cybercriminals who can then parcel the data up and sell it on the Dark Web. This can be repeated hundreds of thousands of times across multiple customers due to the volume and speed of transactions, particularly at large scale events.”
He concludes: “In the rapidly evolving landscape of cybercrime, it’s imperative that businesses think carefully about protecting their customers’ data and implementing appropriate cybersecurity measures. Those who don’t could not only face hefty fines from the ICO, but also suffer irreparable reputational damage.”