Hidden Scams: Could QR Code Actually Be a Phishing Attack?

Hidden Scams: Could QR Code Actually Be a Phishing Attack?
Well-known and trusted QR-codes can still pose a threat

Although QR codes have been around for more than 25 years, their use in everyday life has increased dramatically since the pandemic began. But is it always safe to scan them? We hardly think twice about scanning a QR code in a restaurant to view a menu or pay for food. But scammers have begun to take advantage of our trust in QR codes. As a result, QR code phishing is a growing cybersecurity threat. In this article, we’ll tell you what it is, how it works, and how to protect yourself from QR code fraud.

What are QR codes?

A Quick response code (QR code) is an image that can contain 7089 numbers or 4296 characters. Originally QR codes were just tags for physical objects. In the 1990s, the Japanese car industry began using them to track vehicles and components in production. But as QR codes are machine-readable and can store information, they were later used to send data to a smartphone.

Hidden Scams: Could QR Code Actually Be a Phishing Attack?
A classic example of a QR code

Although the type of data contained in a QR code can be different, it is often just a link to a website. For example, in iOS, the Camera app will automatically detect the QR code when you hover over it. You will be prompted to open the linked URL in your default web browser. First of all, this is what you need to remember about QR codes: they are usually nothing more than simple web links. And as we will see, this has profound cybersecurity implications.

What is QR code phishing?

Today many tools can recognize and remove malicious links that can lead to phishing sites or malware. However, the majority of them are not yet able to check malicious QR codes, so cybercriminals have started using them more frequently in their schemes. QR code phishing is very similar to other forms of phishing. It is a social engineering attack designed to get people to hand over personal information, whether it is login credentials or financial information. QR code phishing is nothing new. The difference is that it uses a QR code to get the victim to a malicious website. Like any other phishing attack, its sole purpose is to get you to enter your sensitive info, like social security number, bank login information, email credentials, or so.

An example of using a phishing QR code

Threats that QR codes can pose

So, it seems evident that we instinctively trust QR codes, but should we? We need to examine how QR codes can pose a threat to answer that question. This research has revealed how hackers can manipulate QR codes to steal your personal information, opening the way for organizations to be hacked. The latter should encourage their employees to be careful about whom they offer personal information, including double-checking the web address to which they were sent by a QR code that matches what they expect.

Signing up for a job fair, entering a contest, or a survey might seem like legitimate reasons to share your personal information. However, double-checking the web address should help confirm its authenticity. If the web address doesn’t look like what the organization’s website should look like, don’t trust it. A QR code can send the user to a fake version of a mobile app store. Through this attack, it is possible to access the user’s phone, personal (or corporate confidential) messages, GPS location, and even camera. This can seriously threaten any business, risking company data and leaving it open to a devastating attack. Organizations should take an interest in their employees’ personal security by encouraging them to check the source of applications or downloads to prevent foul play from affecting them.

The notorious QR code attacks

  • In China, there were caught scammers who placed fake parking tickets with QR codes for convenient payment with the help of cell phones on parked cars.
  • In the Netherlands, fraudsters used a legitimate feature of a mobile banking app to scam bank customers with QR codes.
  • In Germany, fake emails containing QR codes lured eBanking customers to malicious websites under the pretext of reviewing privacy policy updates for their accounts.
  • In Texas, criminals pasted stickers with malicious QR codes to the city parking meters. This way, they tricked residents into entering credit card details into a fake phishing site.

With the rise of such attacks, there is a need to raise awareness and do more to keep people from falling for the attackers’ tricks.

How to protect yourself and your organization

It’s not too different from how we used to double-check emails and strange texts. However, we need to learn to be more discerning about QR codes.

  • Don’t scan! Trust your instincts. If a code seems suspicious, don’t scan it. Underneath any legitimate QR code, there should be a URL to which the QR code refers. That way, you can enter it directly or through a search engine. A missing URL should raise suspicion.
  • Slow down. Take a second to put under the circumstances before you scan. Do you know exactly who posted the QR code there? Can you believe it hasn’t been tampered with? Is there even a need to use a QR code in this situation?
  • Check the URLs of the QR code carefully. As with a tricky website, check the URL you’re being sent to before moving on. If it seems suspicious, misspelled, or doesn’t match the organization you’re trying to access, don’t open the link. For example, in the parking meter scam in Texas, part of the URL used was “passportlab.xyz”-it doesn’t look like an official government website.
  • Look for signs of physical tampering. An easy way to gain your trust is to cheat the legitimate use of a QR code, such as in a parking lot. So, think hard if there are signs of tampering, such as a sticker over another code.
  • Never download apps from QR codes. Attackers can easily clone and tamper with websites. Instead, always go to the official app store for your device to download the app.
Hidden Scams: Could QR Code Actually Be a Phishing Attack?
Fake QR code sticker pasted on top of the real one
  • Do not make a payment using QR codes. Instead, use a (securely downloaded) proprietary app or search online for an official payment site.
  • Enable multi-factor authentication (MFA). If there is an unintended attack on any of these, MFA will prevent an attacker from accessing your accounts (email or social media accounts) with a simple login and alert you to the suspicious attempt.

When it comes to QR codes, the best advice is always to use common sense. We better think twice about the slightly odd emails, calls, and text messages we receive, realizing that they may have a hidden malicious purpose. Somehow QR codes have escaped this extra scrutiny, and more and more people are scanning them without thinking twice, but it’s time to change that. Scan safely.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published.