Beware falling victim to QR code scams
Few technologies have managed to snatch success from the jaws of defeat like QR codes. The small barcodes, which can be scanned by smartphone cameras to take users to websites, were a much-maligned technology in the mid-2010s, with stories written about their demise.
Fast-forward a decade, and QR codes are everywhere. They’re used to check parcel deliveries, check into hotels, and check restaurant menus from your table. What changed was simple: the pandemic.
With the fear of contracting the coronavirus came a rise in contactless facilities that didn’t require people to interact closely with one another. The increasing digitization of services meant that things that were once done in person were now transacted through smartphones. And that meant that there needed to be a quicker, easier way to access those services than downloading an app or entering a long URL into a phone’s web browser.
A ubiquitous technology
“QR codes are now in common sight everywhere from conformation emails booking NHS PCR tests through to replacing traditional menus in bars, trains, and restaurants,” says Bharat Mistry, technical director at cybersecurity service provider Trend Micro.
“This popularity has now drawn the attention of cybercriminals looking to exploit the technology for illicit gains by tricking users to go to what they believe is a genuine site but is in fact a fake,” says Mistry. It’s not just him that’s recognized the risk. In January 2022, the FBI’s Internet Crime Complaint Centre (IC3) published a warning to individuals and businesses about a rise in the malicious use of QR codes.
“Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use,” the agency wrote. Tampering was taking place to supplant legitimate QR codes with illegitimate ones that took users to phishing sites that would siphon off their information and put them in danger.
What makes QR codes risky?
There are challenges unique to QR codes: their existence is meant to make it easier to access key websites or apps that are designed to provide a public service – saving us from having to laboriously type in a URL into a web browser.
Yet that convenience comes at a cost. We simply can’t know what information the QR code is hiding behind its black and white checkerboard or what URL it’s going to take us to if we scan it without doing it. “We’ve all been taught from the beginning to look out for suspicious URLs in emails or webpages by looking at the format, the domain name, etc., and most people can spot them with naked eye,” says Mistry. “But how do you decipher if a QR code is legitimate or not by looking at it?”
Stay safe by staying away
That’s the million-dollar question. Because of the fact that the QR code doesn’t show you where it’s taking you before you take the time to scan it, you’re unable to really understand and weigh up the risks involved without delving in yourself.
The FBI’s IC3 advises being cautious about inserting any personal or banking information into a website that you access through a QR code, as well as also practicing physical safety checks. “Ensure the code has not been tampered with, such as with a sticker placed on top of the original code,” they advise. The organization also suggests not making payments or downloading apps through QR codes because of the fear of the provenance of those services.
It’s for all these reasons that Mistry advises an abundance of caution. “There is no way of knowing unless you scan the code and the device goes to the site, by which time it may be too late,” he says. Stay safe by staying clear of QR codes entirely.
More from Cybernews:
Iran "behind cyberattack on sick Boston children"
Black Basta: a new ransomware group or a Conti faction?
Karakurt gang demands up to $13 million in data extortion attacks
Russia calls for Google ban on Tor
Evil Corp sheds skin to evade US sanctions
Subscribe to our newsletter
Your email address will not be published. Required fields are marked