QR Code Phishing Scams: Think Before You Scan
Is it me or are QR codes popping up everywhere these days?
Most recently was during Coinbase’s Super Bowl LVI ad. If you were a bit confused and anxious waiting for the little box to fit perfectly in the corner of the screen you weren’t alone.
If you pulled out your phone and scanned the QR, you definitely were not alone.
According to Coinbase, that commercial drove over 20M hits to their landing page in one minute. (That must be some sort of a record, right?)
But that ad made me start to think.
It’s easy to get people to scan a QR code. And, what if the code led to a website with bad intentions?
Of course, my brain thinks this way because I work in the cybersecurity industry, but what about others that haven’t had cyber awareness training?
If you’re not educated on common cyber threats like phishing attempts, you could fall victim to one of these clever scams.
What are QR Codes?
Quick response codes (QR Codes) have been around since the '90s, and were originally used in the automotive industry to help track vehicles during manufacturing.
Today, we see them everywhere. The pandemic fueled the usage of QR codes as organizations attempted to reduce transmission and follow protocols.
For example, restaurants replaced physical menus with QR codes that link to an online version of their menu. Customers scan the code and have the full menu right on their phones.
Cybercriminals were also quick to note the sudden surge in QR codes and went to work trying to exploit the technology’s undeniable convenience. Scammers are now creating their own QR codes to trick people into giving up their important personal information like bank account or workplace login credentials.
It’s important to note that scanning a QR code with your phone is relatively harmless. The danger is where the code takes you. Bogus QR codes made by bad actors can take you to a fake website designed to steal your credit card info, login credentials or other personal information.
QR Code Phishing Tactics
You may be familiar with email phishing scams, as these are a common attack vector for hackers. In a phishing attack, a cybercriminal will send you an email or message via social media. They’ll pose as someone you know or trust to steal your data. Workplaces have taken to educating end-users on traditional phishing tactics, but now scammers are using QR codes to steal credentials.
Most people are pretty good at spotting scams, although, scammers are becoming more cunning by using QR code technology. Cybercriminals might send an email, flyer or put QR code stickers in public places and pretend to be from a large organization you trust. These bogus codes usually lead to fake websites with the goal of collecting your credentials.
Take the City of Austin for example. Scammers used fake QR codes on parking meters to collect credit card information from people trying to pay to park their vehicles.
The city uses QR code technology to let motorists pay for parking online via the city’s website. Motorists simply scan the QR code on the parking meter and enter their payment information.
The scammers used this to their advantage by creating their own QR code stickers and placing them over the legit codes on the parking meters. Then, when a person scanned the code, they were taken to a fake (but convincing) website where they were prompted to enter their credit card information.
Scammers aren’t just deploying their QR code phishing attacks in the physical world. Recently, the use of malicious QR codes has been seen in email phishing attempts and in online advertisements.
QR code phishing attempts aren’t as common as traditional email phishing tactics like compromised attachments or spammy links, but it’s important to be aware of the potential threat.
Hackers may try using QR codes in phishing emails because they can often remain undetected by email security software. Also, it’s easier for hackers to send out emails than it is to distribute physical QR code stickers around various locations. You should automatically be suspicious of emails containing QR codes.
Tips to Prevent QR Code Phishing Scams
Here are some easy ways to protect yourself from falling for a QR code phishing scam:
1. Think before you scan
Before you scan a QR code in a public place it’s worthwhile to examine the code. It’s good practice to check if:
- The code is a sticker or integrated into the design
- The code looks like it was purposefully part of the design
When you scan a QR code make sure to examine the website and look for red flags like if it asks you for login or payment information. Also, keep an eye out for misspelled words and trust your gut if something doesn’t feel right. You can always search for the site you’re looking for manually on your smartphone if you’re unsure about the QR code link.
It’s also a good idea to avoid downloading apps from QR codes. To safely download apps, you should use your device’s native app store.
2. Examine the code’s URL
Always inspect the website URL the code wants to take you to. Ask yourself these questions:
- Are there any minor spelling variations?
- Is there an unusual country domain?
- Are there any strange characters? (For example, substituting "1" for "l")
- Does the URL look like what you were expecting?
3. Be wary of QR codes in emails
Whenever you’re sent a QR code in an email it’s best to automatically be suspicious. If you’re already online via your computer, why would you need to use another device to visit the code’s link? Also, if you’re checking emails on your mobile device, it’s obviously tough to scan the code. It doesn’t make much sense to put a QR code in an email. It’s best to skip these emails entirely.
Phishing attacks are nothing new. Using QR codes is just another tactic scammers use to take advantage of people. It’s important for people and organizations to learn about the dangers that come with using and working online.
Remember, if you receive an email from someone you know, or something feels off, it's worth the time and effort to verify its legitimacy.
Mike is the Vice President of Information Technology at Loffler. He has been in the IT field since 1993 and was previously an owner of a successful IT solution provider for 12 years. Mike has managed both security and managed service teams and consulted on IT management for both large and SMB organizations. Little known fact: While in college, Mike was the lead singer for a garage band called Mojo and the Kingsnakes. This is now known as “Classic Rock."