David Papp Blog

Don’t Fall for a QR Code Scam

Cybercriminals have access to all kinds of tools to scam people. In many cases, their attacks are through emails or social engineering. However, some cybercriminals are taking advantage of the rise of QR codes.

Today, QR codes are just about everywhere. These square barcodes can be found on real estate listings, TV ads, social media posts, and more. All of them encourage unique perks like great deals or send you to company or brand websites.

The rise of QR codes coincided with the pandemic as it allowed users a contactless way to get information. For example, restaurants had QR codes that sent customers to the menu.

While that was helpful, cybercriminals quickly took note of this habit and began exploiting the technology. This resulted in scammers creating their own malicious QR codes that were designed to dupe and lure unsuspected consumers to hand over personal information or their banking information.

This was to be expected of course. Any time a new technology is used, there will always be people that will exploit it and try to swipe information from people. These scammers can get away easily as their malicious codes are hidden along with the rest of the legitimate QR codes out there.

The only way to not fall for these types of scams is to be aware of them and understand QR codes and the scam itself.

What Are QR code Scams?

QR codes have been around since the 1990s so the technology itself isn’t anything new. What changed was where it was used. Today, they’re everywhere. But back then, QR codes were used to manage production of the automotive industry.

QR codes now are an essential piece to these scams. Experts are saying that these scams are still a small percentage of scam-tactics used with most cybercriminals opting for emails, malware, ransomware, and social engineering tactics.

However, there are numerous QR code scams reported to the Better Business Bureau, especially in the past year during the pandemic.

It’s gotten to the point where the FBI has issued warnings advising consumers to think before scanning QR codes.

As for the scam itself, this is a typical phishing scam. Anyone scanning a scam QR code will be sent to a “scammy” website that will ask for personal information, bank account, or credit card number.

The only silver lining to these scams is scanning the QR code itself won’t do anything to people’s phones. There is no malware being downloaded in the background.

So what can be done?

It helps to know that these scams are going to be through the use of scam stickers as well as in paper junk mail. The angle with QR codes is getting people from the physical world to online.

That revelation is the key in removing several QR code scam attempts as some of these phishing attacks can often take form of including a QR code in an email or on an online ad.

Why would a legitimate business ever send someone an email with QR code in it or create an ad that forced consumers to take out their phone and scan the code? There are easier ways to convey that such as through a hyperlink.

Other Tips To Keep In Mind

The reason hackers use QR codes in phishing emails and online ads is often due to the fact they bypass security software. Look at any anti-virus software and some of the features do involve dealing with attachments or dubious links. QR codes haven’t become part of cybersecurity features just yet.

Ultimately though, these are just another method to compromise personal information. With that in mind, here are some other considerations:

  • Exercise more caution. As mentioned above, it is easier said than done, but it is possible. Before scanning QR codes, look at it. Is it a sticker or part of a bigger sign or display? Does the code fit with the background? If not, ask for a paper copy of the document and type the URL manually.

When a QR code is scanned, look at the website carefully. Look at what information is asked as well and compare that to if it’s needed. For example, QR codes at restaurants should lead scanners directly to a menu. Logging in or entering banking information wouldn’t be needed.

  • Dismiss any QR codes in emails. Skip these QR codes entirely. This also applies to any QR codes sent in physical junk mail that is unsolicited.
  • Always preview the code’s URL. Many smartphone cameras will offer people previews of the code’s URL while scanning it. If the URL looks strange, move on.
  • Download a secure scanner app. These apps are designed to spot malicious links before they are open. Trend Micro offers a free version and other big antivirus companies have some too. Do exercise caution with these apps as well, stick to well-known security companies as there are malicious QR scanning apps too.
  • Have a password manager. As with any kind of phishing, if a QR code takes people to a really convincing fake website, password managers can still tell the difference between a legit site and a fake one. As a result, they won’t autofill passwords.