YOU see QR codes just about everywhere these days: Real estate listings, television advertisements and social media posts touting what look like great deals on must-have items.
The pandemic fuelled a surge in the use of QR codes. Seeking to cut down on possible transmission, restaurants replaced physical menus with online versions accessible on customers’ phones – scan that little square and find out what is the house special.
Cybercriminals have quickly taken note and started to exploit the technology’s undeniable convenience. Scammers are creating their own malicious QR codes, designed to dupe unwitting consumers into giving their banking or personal information.
Anytime a new technology comes out, cybercriminals will try to find ways to exploit it. This is especially true with technology like QR codes, which people know how to use but may be ignorant as to how they work.
QR codes – the abbreviated version of “quick response” – were invented in Japan in the 1990s. They were first used by the automotive industry to manage production, but have spread everywhere.
Websites and apps have cropped up that let you make your own.
QR codes are also being utilised by cybercriminals in email phishing scams. Scanning the bogus QR codes will not harm your phone, such as download malware into your phone, but it will take you to “scammy” websites designed to get bank accounts, credit card or other personal information.
Like any other phishing scheme, it is impossible to know exactly how often QR codes are used for malicious purposes. Experts say they still represent a small percentage of overall phishing, but numerous scams involving QR codes have been reported to the Better Business Bureau, especially in the past year.
Recently, the Federal Bureau of Investigation issued a warning advising consumers to think before they scan potentially-sketchy QR codes. Many people know they need to be on the lookout for “phishy” links and questionable attachments in emails that purport to be from banks. But thinking twice about scanning a QR code with your smartphone camera is not second nature for most people.
Taking advantage of unsuspecting motorists may have been behind the nearly 30 malicious QR code stickers recently found on parking meters in Austin, Texas, which uses QR code technology to let drivers pay for parking online. Instead of being taken to the city’s authorised website or app, motorists who scanned the scam stickers were led to a fake website that collected their credit card information. Police do not know how many people were duped. The department encouraged anyone who thought their credit card information was stolen by the fake website to contact them.
Austin is not the only city to experience bogus QR code scams. Officials in San Antonio, Texas, about 80 miles away, issued a warning after spotting similar stickers connected to a fake parking payment website.
QR codes take people from the physical world to the online one. That is why it makes sense to use them in scam stickers, as well as paper junk mail. It gets people who have not been online to start doing so.
Scam QR codes are starting to show up in phishing emails and online advertisments. There is no reason for someone to scan a QR code that is in an email they are already looking at. After all, the recipient is already online. Why would a legitimate sender want them to connect with a second device? For that reason, consumers should regard any email containing a QR code with suspicion.
Still, phony codes show up in phishing emails, although not as often as tried-and-true tactics, like attachments containing viruses or links to scam websites.
Leading provider of protection, detection and response email security solutions Cofense recently spotted a phishing scam targeting German speakers, that included a QR code in an attempt to lure mobile banking users.
Hackers may like using QR codes in phishing emails because they often are not picked up by security software, giving them a better chance to reach their intended targets than attachments or bad links. Even if the success rate is lower, it is a lot easier to send out millions of phishing emails than it is to physically place stickers on parking meters and bus stops.
What it boils down to is that QR codes are just one more way for cybercriminals to get what they want, and yet another threat people need to be on the lookout for.
There are so many ways to be compromised these days, but it only takes one.
Tips to remember
Think before you scan. Be especially wary of codes posted in public places. Take a good look – is it a sticker or part of a bigger sign or display? If the code does not look like it fits in with the background, ask for a paper copy of the document you are trying to access, or type the URL in manually. When you scan a QR code, take a look at the website it led you to. Does it look strange? If it asks for login or banking information that is not needed, do not send it.
Codes embedded in emails are almost always a bad idea. It is safer to skip these entirely. The same goes for codes you receive in unsolicited paper junk mail, such as those offering help with debt consolidation.
Preview the code’s URL. Many smartphone cameras, including iPhones running the latest version of iOS, will give you a preview of a code’s URL as you start to scan it. If the URL looks strange, you may want to move on.
Better yet, we recommend using a secure scanner app, which is designed to spot malicious links before your phone opens them. Trend Micro offers a free one as do some of the other big antivirus companies. But stick to well-known security companies. Malicious QR scanning apps designed to extract user information have made it into app stores in the past.
Use a password manager. As with all kinds of phishing, if a QR code takes you to an especially convincing fake website, a password manager will still know the difference and not autofill your passwords.
George Matthews, Principal Data Privacy and Security Compliance Analyst/Data Protection Officer, NT Business Consulting and Training. Comments: letters@thesundaily.com
