QR scams on the rise, warns analyst


Beware of QR codes – they might be a handy way of, say, ordering from a menu, but criminals increasingly abuse them online to steal credit-card data.

“Users should look out for emails and websites that ask to scan QR codes and give up sensitive data and PDF files linking to password-protected archives,” said Alex Holland, senior malware analyst at HP Wolf Security.

QR codes, scanned by smartphone cameras to take users to websites, are used pretty much everywhere, from checking restaurant menus and tipping waiters to checking parcel deliveries or checking into hotels.

Unfortunately, every time you scan a QR code, you risk infecting your device or accidentally giving away sensitive data, such as payment card information.

“We have seen QR codes used in English-language phishing campaigns masquerading as parcel delivery companies seeking payment, so individuals and organizations should be on the lookout for such campaigns,” the report reads.

Researchers also described what they called an “unusual Chinese-language” phishing campaign: threat actors were observed abusing QR codes to lure victims to a malicious website so they could steal credit-card details and other sensitive information.

Victims were tricked into believing they were entitled to a government grant if they met the criteria.

“To receive the grant, the recipient is asked to scan the QR code using WeChat, a popular instant messaging, social media, and mobile payment app, and then follow the instructions on the website,” the report reads.

If users want to scan a QR code, they need to switch to a smart device, which usually has weaker protection than a regular computer.

“QR codes also benefit attackers because email gateways are less likely to inspect the

destination web addresses the codes lead to, meaning phishing emails stand a greater chance of reaching users’ inboxes compared to standard hyperlinks,” researchers said.

Since October, the Wolf team says it has observed QR-based phishing campaigns daily. Experts believe these campaigns could be being distributed in high volumes.

How to avoid QR scams?

  1. Do not scan QR codes received from strangers
  2. Even if a message is from someone you know, first check if your contact has actually sent you the code before clicking on it
  3. If a message comes from a government agency, call or email it directly to make sure it is legitimate
  4. Some antivirus software comes with a QR-scanning functionality – it will prevent you from downloading malicious software
  5. Do not enter any personal details or other sensitive information into websites you don’t know