QR codes have grown in popularity over the last several years given they are easy to use – just scan them with the camera on your smartphone and you have instant access to all information associated with them. Be it a menu at a restaurant you will be visiting or ordering from, the activities offered by the resort you are vacationing at, paying for your purchase at one of your favorite retail establishments, or accessing coupons for shopping and entertainment, QR codes have made it easy to connect.
But is that QR code you are scanning safe? Unfortunately, cybercriminals are exploiting this technology by creating fake QR codes that can steal your personal information, infect your device with malware, or trick you into paying money.
A new phishing scam has emerged using QR codes. Those who scan these QR codes fall victim to the malicious intent of the cybercriminal. How does the scam work?
The scammer prints out a fake QR code. They place it over a legitimate one. For example, they might stick it on a poster that advertises a product discount or a movie.
You come along and scan the fake QR code, thinking it’s legitimate. The fake code may direct you to a phishing website. These sites may ask you to enter sensitive data such as your credit card details, login credentials, or other personal information.
Or scanning the QR code may prompt you to download a malicious app. that contains malware that can do one or more of the following:
- Spy on your activity
- Access your copy/paste history
- Access your contacts
- Lock your device until you pay a ransom
- The code could also direct you to a payment page. A page that charges you a fee for something supposedly free.
How do you know if the QR code you want to utilize is not safe? Here are a few things to look for to determine if a bad actor may be behind that QR code you want to use.
Malicious Codes Concealed
Cybercriminals change legitimate QR codes. They often add a fake QR code sticker over a real one. They embed malicious content or redirect users to fraudulent websites.
Fake Promotions and Contests
Scammers often use QR codes to lure users into fake promotions or contests. When users scan the code, it may direct them to a fake website. The website may prompt them to provide personal information resulting in potential identity theft or financial fraud.
Malware Distribution
Some malicious QR codes start downloads of malware onto the user’s device. This can result in compromised security including unauthorized access to personal data and potential damage to the device’s functionality.
The following are tips to help make sure the QR code you want to scan is safe.
Verify the Source
Be cautious when scanning QR codes from unknown or untrusted sources. Verify the legitimacy of the code and its source. This is especially true if it prompts you to enter personal information.
Use a QR Code Scanner App
Consider using a dedicated QR code scanner app. Use that rather than the default camera app on your device. Some third-party apps provide extra security features such as code analysis and website reputation checks.
Inspect the URL Before Clicking
Before visiting a website prompted by a QR code, review the URL. Ensure it matches the legitimate website of the organization it claims to represent.
Avoid Scanning Suspicious Codes
Trust your instincts – if a QR code looks suspicious, refrain from scanning it. Scammers often rely on users’ curiosity. Be careful when scanning QR codes that you see in public places. Don’t scan them if they look suspicious, damaged, or tampered with.
Update Your Device and Apps
Keep your device’s operating system and QR code scanning apps up to date. Regular updates often include security patches that protect against known vulnerabilities.
Be Wary of Websites Accessed via QR Code
Don’t enter any personal information on a website that you accessed through a QR code. This includes things like your address, credit card details, login information, etc. Don’t pay any money or make any donations through a QR code. Only use trusted and secure payment methods.
QR code scamming is a phishing technique. Phishing is one of the most serious risks for individuals and organizations. If you need help ensuring your devices are phishing resistant, please reach out to us.