QR codes are a very practical way of storing and sharing data. Due to their speed and versatility, they have been gaining traction during the COVID-19 pandemic. Even now they are still becoming increasingly popular for many different purposes. You might see them at restaurants serving as menus, on parking meters as a quicker payment option or on various advertisements to give you more insight about a product or service.
But with the growing popularity of QR codes, the first scams and attacks by cybercriminals have unfortunately started to become more popular. Find out how attackers take advantage of QR codes in order to compromise your data in this guide.
How do QR code scams work?
QR codes are very much present in our everyday life and most of us have used them safely before. So how do cybercriminals make use of these codes to compromise your data?
Over the past few years, phishing (when an attacker pretends to be a reputable company in order to deceive you) has gone from using simple email messages to SMS (Smishing) and now even QR codes (Quishing). QR codes are usually used to redirect you to a link on the web, and this is precisely what scammers use to their advantage when trying to get something out of you.
- Malicious QR code creation: Scammers create fake QR codes that lead to harmful websites. These can often look legitimate, like flyers, ads for a product, menus for restaurants or even parking meters in some cities.
- Payment scams: Attackers may create codes that redirect your payment through third-party websites that look reputable (like fake bank websites). When you insert your credit/debit card information, attackers can save them and use them to make purchases you didn’t consent to.
- Data theft: Additionally to trying to steal your banking information, scammers might try to send you to fake websites requiring you to enter sensitive information such as passwords, PINs or personal data. This can be just as dangerous as getting your financial information stolen and can lead to identity theft and your data eventually being sold on the dark web.
- Malware infection: Websites you’re being sent to may try to convince you to download malware. This often happens under the pretense of something urgent (e.g. “Your computer has been infected. Download antivirus below.”). Generally, you will often be confronted with the typical pop-up website trying to intimidate you and make you install malicious files on your device. Here’s an example:
To find out more about how to remove malware and secure your phone, check out our guide on malware on mobile devices.
How To Spot a Fake QR Code
- Look for tampering: Check for physical tampering such as stickers over existing QR codes before you scan a code or if you suspect the code may be malicious.
- Check the URL: When you scan a QR code with your camera, it will usually show you a preview of the hyperlink. If the link looks suspicious do not access it. A common sign is seeing the “http” instead of the “https” protocol, which suggests the data isn’t encrypted between client and server. Avoid clicking any shortened links such as bit.ly or tinyurl. Here’s an example of a link preview:
- Be cautious with QR codes in emails & texts: There are rarely any situations where QR codes need to be sent via email, since you are already using the device and could just click the link as is. The same is true for texts and SMS messages. The devil is in the details though, so always be on the lookout for any minor cues that seem out of place. For instance, email addresses used for phishing are made to look similar to official email addresses. Instead of support@microsoft.com, you might come across support@micro-soft.com. So be on the lookout for small mistakes or grammar errors. Here’s an example:
Source: securelist.com
- Beware of real-life scams: Packages at your home claiming you have won a prize and need to scan the code to claim it is an immediate red flag that you should not engage with the QR code any further. You should ignore any such scams that seem to good to be true.
How To Protect Yourself From QR Code Scams
- Use a secure QR code scanner: If you want to have additional safety, download a QR code scanner that has built in security features such as blocking malicious websites or checking the URL for phishing threats.
Some recommendations: Kaspersky QR Scanner, Norton Snap QR Scanner, Trend Micro QR Scanner
- Be cautious of the source: Before scanning a QR code, make sure it fits the context and the branding of what it is promoting. For example, if you see QR codes on a political campaign poster by an official party and you’ve seen multiple of them around your city, it’s likely rather safe to scan. But if you see a QR code on an advertisement by someone claiming to be Apple, allegedly giving away AirPods free of charge and asking you to scan the QR, you should be more wary about the situation.
Source: Reddit
This is an example of a suspicious QR code attempting to lure you into scanning it by promising you free products.
- Use strong, unique passwords: When picking a password, make sure it contains lowercase and uppercase letters, numbers and special characters such as “$” or “§”. You might want to consider getting a password manager if you really want to have exceptional security. Check out our guide on password managers.
- Manually enter URLs: When possible, enter the URLs instead of scanning the QR code it’s supposed to send you to. This is especially true for links asking you for payment. Instead of scanning the QR code, make the transaction directly from your banking website or PayPal.
- Use Multi-Factor-Authentication: This is a proactive measure to add an extra level of protection, even if a scammer tricks you into scanning a QR code. This can be a code or a fingerprint, and not all services might offer it, but it is worth checking to make sure.
- Stay educated: Phishing scams keep evolving, as can be seen in the case of quishing. Be the first to find out about the newest vulnerabilities by following cybersecurity news. Follow online outlets and cybersecurity blogs to remain up to date.
Key Takeaways
To sum it up, never scan a QR code if it feels off. Always be aware of the context and don’t be naive when someone is trying to offer you something in return for simply scanning a QR code. If there are alternatives that feel safer to you, use them instead of scanning something you don’t feel ok with. And most importantly, always stay up to date with the latest cybersecurity news!