QR Codes: Don't Scan a Scam

YOUTUBE MEDIA

HcEr9T2nRso

They've become a ubiquitous part of life—but be careful when you use one

On this page: How QR Code Scams Work | How QR Code Scams Are Distributed | What Can You Do? | Additional Info

QR codes—those squares full of smaller squares that you can scan with your phone to open a web page—are having a moment. They've been around for a while, but they never quite caught on for a number of reasons, chief among them that you used to have to find and download an app to use them. When the pandemic forced people to rethink things like handing out physical menus, scanning a QR code to open a website or PDF seemed like a good solution. And by then, QR code scanning was a built-in camera or toolbar function on most phones. Now, using your phone to scan a QR code is just something we do without thinking.

Or most of us have been doing it without thinking about it. Some people have been thinking about it quite a lot. Specifically, they thought about how to use the newfound ubiquity of QR codes in public settings to scam people. What they came up with is simple but effective.

How QR Code Scams Work

You can't tell what file or web page a QR code will open until you scan it, and even then the link displayed may not give you much of a clue. The link may be shortened, point to an unfamiliar location, or point to a site that automatically redirects you elsewhere. If that elsewhere is a brunch menu or the page for an event, no worries. But if it’s a malicious site—well, many worries.

Such sites go to work as soon as they start loading. Often, you don't need to do anything other than follow the first link to open yourself up to cyberattack. Things that can wind up on your laptop or phone include keyloggers (hidden software that records everything you type, like passwords and personal email) and botnets (which steal your computer's connection for the hacker’s purposes, such as using it in large-scale hacking efforts or Bitcoin mining).

This doesn't mean you should never scan a QR code. These days, it's hard to avoid them. What it does mean, though, is that you should think twice about what you scan.

How QR Code Scams Are Distributed

With QR code scams, it's not so much about the type (it's all basically the same approach) as the where and when. Some of the distribution methods for fraudulent QR codes include:

Email: If you get an unsolicited email asking you to scan a QR code—don't. Ever. It's one of the easiest methods of distributing scam codes. The more "urgent" the email claims to be, the more suspicious you should be.
Posters, restaurant tables, and other public spaces: When a QR code is presented in a public or outdoor setting, it can be as simple as putting a sticker with a different QR code over the legitimate code. Take a look at it, or run your fingers over it and see if you can detect tampering.
A sticker or flyer: It's not unusual for performers, artists, and event organizers to make stickers or print flyers with a QR code on them. Be very careful about scanning that code, especially if it's just a sticker on a sign. Interested in what’s being promoted? Take a regular photo and then look it up online without scanning the QR code.
Multi-factor authentication (MFA) messages: In a recent scam, cybercriminals sent phishing emails disguised as multi-factor authentication (MFA) messages. The email instructs you to scan the QR code to enable MFA on your device. If you scan the QR code, you’ll be taken to a spoofed login page. If you enter your login credentials, cybercriminals could gain access to more of your sensitive information.

What can you do?

A few simple habits will help you avoid scanning a malicious QR code.

Think before you scan a QR code

Cyberattacks are designed to catch you off guard and trigger you to scan impulsively. Ensure that you trust the source of the QR code, and if it seems out of place or unusual, exercise caution. Look for any signs of tampering or alterations on physical QR codes, and when in doubt, err on the side of safety by verifying the source.

Don't download a QR code scanning app

The days of needing a third-party app are over. All major phone manufacturers have built QR code scanning into their devices, either as part of the device's camera or located as an option in a toolbar.

Don't download a QR code scanning app

The days of needing a third-party app are over. All major phone manufacturers have built QR code scanning into their devices, either as part of the device's camera or located as an option in a toolbar.

Don't install an app you get by scanning a QR code

If you're interested in an app, go to the official app store for Google or Apple and download it from there. Don't trust the QR code, even if it says it's taking you to the app store. And remember, you should always be careful about the apps you install, even if you get them from an official app store.

Check the authenticity, especially in an outdoor location

It's easy to slap a sticker over a legitimate QR code. If something seems off, like a visible sticker, ask your server or someone else who can verify its authenticity.

If someone is shouting that it's urgent, don't panic respond

Scam via QR codes rely on the same strategies as other types of phishing. One of those is creating a sense of unease that if you don't do something right away there will be consequences. Don't fall for it, no matter how successfully a message triggers your anxiety. If you think it might be legitimate, skip the scan and take the time to type in the URL or call a verified support number.

Be cautious before entering any login information on a website from a QR code

Instead, navigate directly to the official website. This method minimizes the risk of falling victim to phishing attempts through QR codes and helps protect your sensitive information from potential cyber threats.

Additional Info

"QR code scams are on the rise. Here's how to avoid getting duped." C|Net Tech
"Beware of Fake QR Codes." AARP
"QR code scams are making a comeback." Malwarebytes Lab
"FBI warns of QR code scam." The Independent

The Download: Feature Articles