Prevent ‘Quishing’: Ways to Avoid QR Code Fraud
Scammers are always looking for their next tool for use in stealing your data and your money. Enter the QR code, with its ease of use, it’s the perfect piece of tech to exploit.
QR codes have been around for a few decades now, morphing from the barcodes that we see on merchandise in stores. QR codes make it easy for us to scan with our phone in order to share data and access links and other digital information. Often you don’t even need an app, you simply aim your phone’s camera at a QR code (whether it’s in print or on another screen) and instantly are either downloading information or being directed to a website. Unfortunately this convenience has also made it more convenient for fraudsters to spread malware and steal your personal information, including your financial information.
You’re familiar by now with “phishing,” aka data-mining via emails and text messages. When scammers manipulate QR codes, it’s called “quishing” yet it has the same objective. Quishing links can imitate a legitimate service provider, but visiting that link will likely load malware into your device or put you through prompts which force you to unwittingly reveal your login credentials and other personal information. The criminal at the other end can either drain your bank account or use your data for identity theft.
One of the reasons that QR code scams are popular among cyber thieves is that because the codes are scanned directly by a user, this negates the use of security filters that you might have in place within your email software. Your browser will open the link without any additional security checks.
The Cycle of a QR Scam
It all starts with the cybercriminal generating a QR code that contains a link to a phishing website or directly to a malware file. The scammers share the malicious QR code on other websites, in email chains, in the comments section under social media posts, and even in physical public spaces like bulletin boards and lampposts. Once a user scans the QR code and clicks the URL link, either of these will happen:
1) The user downloads a malicious file on their device; once opened, the malware installs itself. As the malware runs in the background, unbeknownst to the user, their internal data is being stolen and/or the infection often spreads to the device network.
2) The user enters their credentials into a phishing website, believing that the website is a legitimate company (possibly one they’ve visited before). The fraudsters, now with account access, log into those accounts for ongoing plunder.
How to spot common QR code scams
(from NordProtect)
Using QR codes maliciously is fairly simple because you can’t verify the code’s content before you scan it. For this reason, any code you come across is as likely to be a legitimate redirect or a guerrilla marketing campaign as it is a scam.
Emails and text messages
QR codes can be included in emails as attachments or images that the user can quickly scan to learn more. Likewise, some texting services can allow MMS messages containing QR codes. Sending fake QR codes over email or text can be an effective way to redirect the target to a phishing website. Since a QR code is easy to generate, it can be a low-stakes scam for the cybercriminals, allowing a quick and easy way to share a spoofed website with many users at once.
Social media posts
QR codes are a common way for users to share content on social media, especially on platforms where sharing links might be restricted. Some social media sites can automatically detect and flag scam links. Using an image of a QR code instead helps cybercriminals bypass this block and share their scam more efficiently.
Pop-up ads
QR codes in pop-up ads may be less effective than other scams because an adblocker might filter them out. However, they allow for a more effective way to get the users to access the scam link. Pop-up ads are usually interactive, meaning that the scammer can add a link not just inside the QR code but also make it accessible by just clicking the ad. The user then unintentionally opens the scam site and might interact with it, thinking it’s legitimate.
Sign-up forms
Sign-up forms are an easy way for cybercriminals to gather information they can use for different types of identity theft. A user scans the QR code and opens a sign-up form for a newsletter, subscription, or other service. They enter personal details, including their legal name, home address, and payment information, which cybercriminals can then access and use maliciously.
Shopping scams
QR shopping scams typically focus on stealing financial information. A user scans the code expecting to receive a special discount or exclusive access to an item or service. They enter their payment details and delivery address. However, instead of receiving their desired item, they end up unwittingly submitting their financial information to criminals.
Restaurant menus and payments
Restaurants often allow customers to scan QR codes to access the menu or pay the bill. Criminals can hijack the DNS traffic, redirecting it to a scam site that looks like the payment page. The customers then enter the payment information as normal, while the criminals gain their financial details, and the bill is left unpaid.
Flyers in public spaces
A common way to share a fake QR code is to print it out and place it in a public place, like a bulletin board or a street sign. Such flyers often contain very little information besides the code, making them indistinguishable from other QR codes. The aim is to get as much exposure as possible by placing the code in a public location for passers-by to scan it out of curiosity. If they scan the code and interact with its hyperlink, they may fall for the phishing scam.
Physical mail
Similar to public flyers, scammers may place letters containing fake QR codes directly in physical mailboxes. These letters can be part of broader scams. For instance, they may imitate legal documents, overdue payment warnings, or requests to provide further information. For the recipient’s “convenience,” these letters contain a QR code they can scan to access a quick way to make a payment or submit information. The scammer can then obtain this data and use it for identity theft, credit card fraud, or other criminal activities.
Cryptocurrency and NFTs
People often share QR codes to mine new cryptocurrency coins or access non-fungible tokens (NFTs). Fake codes used in crypto scams often contain malware and can be shared from one crypto wallet to another. For instance, a user might receive a file containing the QR code in their digital crypto wallet. Once they scan the code and open it, they download a file claiming to contain a token. If they interact with the file, hackers can overtake their device with malware and use it to steal assets in the wallet.
Fake QR code scanner apps
In some cases, scammers might create a fraudulent QR scanner app instead of using a specific code. The user installs the app and grants it a high level of permission to access the device. The app actually works as malware and is used to access internal files, keylog the user’s keyboard entries, and steal sensitive information.
More Information and What to Look Out For
Scammers hide harmful links in QR codes to steal your information
QR codes seem to be everywhere. You may have scanned one to see the menu at a restaurant or pay for public parking. And you may have used one on your phone to get into a concert or sporting event, or to board a flight. There are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information. Here’s what to know.
‘Quishing’ scams dupe millions of Americans as cybercriminals turn the QR code bad
QR codes were once a quirky novelty that prompted a fun scan with the phone. Early on, you might have seen a QR code on a museum exhibit and scanned it to learn more about the eating habits of the woolly mammoth or military strategies of Genghis Khan. During the pandemic, QR codes became the default restaurant menu. However, as QR codes became a mainstay in more urgent aspects of American life, from boarding passes to parking payments, hackers have exploited their ubiquity.
8 Common QR Code Scams & How to Protect Your Digital Information
From pubs to parking lots, QR codes are everywhere for the scanning. But just because everybody’s doing it, doesn’t make it safe. Learn about common QR code scams and ways to protect yourself, one barcode at a time.
Quick Response (QR) codes have become an everyday tool, making it easier for businesses to engage with consumers. And consumers have embraced the convenience. From coupons, mobile payments, contactless delivery, concert tickets and digital menus to interactive business cards, the technology is projected to hit 94.1 million users by the end of 2023 and exceed 100 million by the close of 2025. That’s a lot of personal and financial data zipping around, and cyber criminals are here for it. So, are QR codes safe? Not always. We’ll look at how QR code scams work, what to look out for, and how you can protect yourself in a scan-happy world.
