By: Kirby Mack - Vice President of Digital Media
QR Codes are great. As a matter of fact, I wrote a glowing article about QR Codes, their history, and their glorious comeback. (which you can read here, QR Codes – The Comeback Kid!) But of course, “With great power comes great responsibility.”
Imagine this, you are on a hiking trail, and you come across an information post that has a QR Code on it. The QR code says, “Scan here for trail map” and you do. Only you never receive the trail map… it appears like it does nothing. It opens a browser and then closes the browser. “Hmmm – Must be broken,” you think to yourself. So, you continue on with your hike, completely oblivious to the fact that the QR Code you just scanned mined all of your data from your phone and is posting it in batches to the dark web. Scary right? Well, these scams are becoming more and more common. So common, in fact, they now have a name: “quishing.”
QR Code phishing or “quishing” is a type of phishing attack that uses QR codes to lure victims into revealing sensitive information or making improper payments.
“There are a number of things that can happen sometimes by just clicking on it (the QR Code),” said Steve Weisman, www.scamicide.com. “You can be downloading malware onto your phone, stealing information from you. Other times it actually will be able to access accounts of yours and take money out. I mean, it’s pretty dangerous.”
Here are a few examples of recent QR Code scams.
Parking meter payment scam.
Included in products purchased off Amazon from China.
Source: Reddit
So what can we do? QR Codes are everywhere; they are extremely convenient, very useful, and are no doubt here to stay. Avoiding QR Codes altogether is not the answer. Let’s dive into some tips and tricks to help you learn how to spot the scam and safely scan a QR Code.
The built-in feature to quickly scan the QR Code on smartphones is nice, but as of publication time, they have yet to update the software to include a feature that helps you identify a malicious QR Code. The good news: there are free apps that you can download to your phone that can help recognize whether it’s fake or not. Just make sure you only download an app from a trusted source.
A few recommendations would be:
- Kaspersky’s QR Code Reader and Scanner
- QR Scanner-Safe QR Code Reader by Trend Micro
The two most important things that will help keep you safe from a quishing scam are knowledge and common sense. You want to only scan QR codes from trusted sources. If you’re at a restaurant, you’re probably safe to scan the code to open their menu. But if there’s a QR code stuck on the side of a telephone pole or rest area bathroom wall – it’s best to just steer clear of it. And if you are in an environment where a QR Code says, “Scan here to make a payment.” Avoid it if possible. If not, confirm with an employee that it is, in fact, real.
One of the ways these scams are growing is with stickers. The bad apple will create the malicious QR Code, print it as a sticker, and place it over top of a legitimate one. Before you scan the QR Code, take the extra time to ensure it hasn’t been tampered with, replaced, or a sticker placed on top of it. If you can peel the QR code off individually and there is one underneath, it’s most certainly a scam.
Once you scan that QR Code, most readers will preview the URL for you before you click to continue. Make sure you double-check the URL before and after scanning. Malicious sites, while they may look identical to legitimate ones, can have URLs that look suspicious and/or have nothing to do with the content on the site itself. Once you land on the end target of the QR Code, do not enter any personal or financial information. No usernames, no passwords, no credit cards, and no social security numbers. It’s a best practice to verify the website you are using is real and secured first.
Lastly, use that common sense. There is never a need for a company to include a QR code in an email, especially when a link will do. If you receive an email from a company requesting you to scan a code to verify information or check on a payment status etc… call the company first. But here is the tricky part. Contact the actual company the email appears to be from, and NOT with the information provided to you in that email. Instead, go directly to that company’s website to find their contact information and verify. And then double-check with them before you do anything.
While all of this is scary, it should not deter you from taking advantage of the convenience of a QR Code and what they have to offer. Reading this article arms you with knowledge, and that’s step one. From there, just use your common sense; if it doesn’t add up or it seems too good to be true, you can bet it most likely is.
Stay safe!
