With the growing popularity and prevalence of QR codes, the number of cases of their malicious use is also increasing. Consumers scanning a QR code can, in the worst case scenario, lose money, social media and bank accounts. Why is it potentially dangerous to scan a qr code with your mobile device? And what do you need to know to avoid becoming a victim of scammers?
QR codes in nutshell
QR codes (stands for “Quick Response”) can store a significant amount of information and are easy to use—users simply need to point their smartphone camera at the QR code to scan it. This ease of use has led to the widespread adoption of the technology. QR codes are now used for contactless payments, accessing websites and apps, authentication and security, information sharing, and more.
Types of Malicious QR Code Attacks
Criminals exploit the convenience and trust associated with QR codes to launch a variety of malicious attacks. Understanding the types of malicious QR code attacks is crucial for both individuals and businesses. Here are some common types of malicious QR code attacks and how they operate.
Phishing
Phishing is a type of cyber attack where attackers attempt to deceive individuals into providing sensitive information, such as usernames, passwords, credit card numbers, social security numbers, phone numbers, and other personal details. When a user scans a QR code, they are often redirected to a website. If the QR code is malicious, it can lead the user to a fake website designed to look like a legitimate one.
Real life example
According to Security Financial Bank, there have been numerous reports of criminals covering up QR codes on parking meters. When a car owner scans the code to pay for parking, they are redirected to a fake website that accepts their payment but has no affiliation with the city. As a result, the money goes directly to the criminals.
Malware
QR codes can be exploited to distribute malware. Scanning a malicious QR code can lead to a direct download of malware onto the user’s device. This malware can be in the form of apps, files, or scripts designed to compromise the device or steal information. If a user’s device (such as a phone or tablet) has an unpatched vulnerability, the installed malware can seize control of the device. This control allows a criminal to steal money, hack websites, and carry out other cyber attacks.
Real life example
A 60-year-old woman from Singapore has lost $20,000 in a QR code scam at a local bubble tea shop. She was tricked into downloading a malicious app after scanning a QR code and completing a fake survey for a free drink. The app then stole her money directly from her bank account.
Financial Scams
Scammers create QR codes that redirect payments to their own accounts instead of the intended recipient. This can happen with fake invoices, fraudulent fundraising campaigns, or altered payment requests.
Official recommendation
Spammers send fake emails claiming a payment failed and must be completed through a QR code. In the Public Service Announcement the FBI advises: if you get such an email, call the company to verify it using a phone number from a trusted site, not the one in the email message.
Data Theft
Criminals can use QR codes to capture your personal or sensitive information, often through social engineering tactics. Users are redirected to fake surveys or forms that request personal details under the pretense of winning a prize, getting a discount, or participating in a study.
Some QR codes, especially those found in public places, can connect a device to a compromised Wi-Fi network. Once connected, criminals can intercept the data transmitted over the network, capturing sensitive information such as login credentials and financial transactions.
Number of QR Scams in the UK
What is Quishing?
Quishing, a portmanteau word of “QR code” and “phishing,” refers to a type of phishing attack that uses QR codes to deceive individuals into providing sensitive information or downloading malicious software.
How to Identify Malicious QR Codes:
Now that you know the potential threats posed by QR codes, let’s discuss how to recognize suspicious ones.
Tips on recognizing suspicious QR codes
When scanning a physical QR code, look for signs of tampering, such as stickers placed over the original QR codes. This can indicate an attempt to cover up a legitimate code with a malicious one. Remember the earlier story about the parking meters? Also, check for mismatched fonts or design inconsistencies, as scammers often neglect these details.
Be skeptical of QR codes offering unrealistic promises like free gifts, prizes, or large discounts. Criminals often use enticing offers to lure victims. Don’t fall for it!
If you scan a QR code to get the URL, then check the URL for legitimacy, looking for misspellings, unusual domains, or unfamiliar websites.
Protective Measures
Criminals often rely on their potential victims using outdated software, which may contain vulnerabilities. Always update the operating systems of your computers, phones, and tablets to the latest version available.
If you’re asked to scan a QR code to download an application, don’t do it. Instead, download the app directly from the Apple App Store or Google Play Store. Apple and Google moderate their app stores to protect users from malicious software and fraudulent apps
Previously, there were reports of malicious QR scanning apps. Most smartphones (iPhone and Android) now have built-in QR scanners, so there’s no need to install additional software.
Wrap Up
With the growing popularity of QR codes, their misuse has also increased, posing significant risks to consumers. Scanning a malicious QR code can lead to financial loss and data theft. To protect yourself, always use up-to-date software and be cautious when scanning unfamiliar QR codes.
About The Authors
