Be careful when you scan QR codes

A new wave of users utilizing QR codes grew as part of the various track and trace initiatives implemented around the world. Cybercriminals are quick to take advantage of this development, coming up with new ways of targeting users.

The growth in QR code usage was fueled by the pandemic in which contactless became very much the norm. Recent data showed that around 86% of smartphone users had scanned a QR code at least once, with 36% of users scanning one once every week.

This high usage level was underpinned by general confidence in their utility, with nearly half of smartphone users saying they found QR codes made their life easier, with similar numbers hoping that they'll be used more often in the future.

"The use of QR codes has regained popularity during the pandemic, particularly with NHS Track and Trace and ordering lateral flow test kits. Also, publicly displayed information, such as timetables and menus at bars and restaurants, have introduced QR codes to make it easy for customers to visit a website," says Martin Smith, founder of the Security Awareness Special Interest Group (SASIG).

"Cybercriminals are including QR codes into phishing attacks, a practice known as Quishing. Unsuspecting users inadvertently scan fake QR codes that take users to fake and potentially harmful sites."

Taking advantage

Given the adaptability of cybercriminals, it should perhaps come as no surprise that they quickly took notice of this surge in usage and began to capitalize on it to trick unsuspecting people.

Numerous examples have emerged of criminals creating malicious QR codes that aim to trick people into handing over information or installing malware. For instance, in Texas, law enforcement agents have noticed fake QR codes placed on parking meters that trick motorists into paying scammers rather than official authorities.

Similarly, instances in Atlanta have emerged whereby fake parking tickets were slapped on motorists' windshields with a QR code allowing the driver to pay the “fine”. Of course, real parking tickets don’t come with a QR code attached, but it’s perhaps fair to say that many people don’t know this and will be taken in by something that looks authentic.

Scams have been observed in a wide range of places, including online adverts, billboards, and phishing emails. They are all designed to fool people into clicking on a dangerous link and either divulging sensitive information or downloading malware.

As with other forms of phishing attacks, it can be difficult to know the full extent of QR scams, but they are growing to a sufficient extent to prompt the FBI to issue a warning to consumers to be on the lookout for potentially dangerous uses of the technology.

"The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes," they warn. "Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information."

A growing trend

The Better Business Bureau is one agency that has been noticing a growth in QR scams. In July last year, they issued an alert warning people about the potential of receiving fake QR codes across a range of media, including SMS, social media, and even via the mail.

For instance, one victim told the Bureau that they received a fraudulent letter about consolidating their student loan. The letter contained a QR code that the victim thought linked them to the official website for Student Aid, but instead, it took them to a fake phishing website. QR codes are also a common means by which to conduct cryptocurrency scams, with Bitcoin addresses often sent via QR codes.

“It is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI warns. “Law enforcement cannot guarantee the recovery of lost funds after transfer.”

How to stay safe

The BBB provides a number of tips to help people stay safe and avoid QR scams. The first piece of advice is to never open any links from strangers. If a message is unsolicited, then it's highly unlikely that the QR code will be advantageous, even if the message promises gifts or investment opportunities.

If the message is from someone you know, then do your best to confirm that it's legitimate before you scan it. It's easy to check with your contact whether they really have sent you a message, and doing so will certainly pay off.

If the message appears to come from a legitimate and reputable source, you should always do your best to verify them. For instance, if the message appears to come from a government agency, then it pays to contact them to confirm that they really sent it.

It's also possible to get antivirus software with QR scanning functionality built-in. This can help you check the safety of the QR code before you scan it, as the software will verify the link before you open it, thus preventing you from downloading malicious software or falling prey to phishing scams.

"We would strongly recommend that organizations ensure mobile security software that includes a safe QR code scanner is used. Having an added layer of protection will help avoid any security mishaps you’ll regret," Smith continues. "As nine out of 10 cybersecurity incidents involve human error, warnings about fake QR codes should also be built into cybersecurity awareness training."

As with phishing scams in general, the key is to pay attention and not scan things without thinking first. Scammers rely on the fact that we scan without analyzing the reliability of what we’re doing. While QR codes are undoubtedly convenient, that convenience can carry risks, and just as we have learned to be wary of clicking on a link in an email without thinking first about its safety, so too are we going to have to learn to do likewise with QR codes.


prefix 2 years ago
I’m so glad I subscribed to CyberNews. I’m a 72 year old person who really needed a source to keep up with scammers. And after reading the QR code article I will never use them. Thanks!
Leave a Reply

Your email address will not be published. Required fields are markedmarked