Monday, October 14, 2024

How scammers use QR codes to steal—and how you can protect yourself

Uniqode analyzed best practices shared by law enforcement to compile a list of safety tips for consumers when using QR codes in public.

Posted

QR code scan with stop symbol on it.

Billion Photos // Shutterstock

With great convenience comes great responsibility. QR codes have opened up a whole new world of ease for consumers and businesses. But as with any new tech, scammers are exploiting the growing market to take advantage of consumers.

Uniqode analyzed resources from the FBI and the Federal Trade Commission to compile a list of tips on staying safe when using QR codes in public.

QR codes are the now-ubiquitous, black-and-white-patterned squares that can be scanned to access a hyperlink on your phone's web browser. Now almost annually, the FBI has issued consumer warnings that criminals are leveraging QR codes to steal sensitive information.

The rise of QR codes for contactless exchanges during the COVID-19 pandemic made the technology all the more appealing for criminals, according to cybersecurity firm Trellix. More than a third of smartphone users scanned a QR code in 2022, a share expected to rise to 42.6% by 2025, according to data forecaster eMarketer. The public adoption of QR codes and their cost-saving potential for businesses has helped keep them around long after pandemic safety measures faded away.

But a little vigilance can go a long way for consumers using these web portals. One QR code scheme commonly reported is a version of package delivery scams often carried out via text message. In this case, a potential victim receives a message that appears to come from FedEx or another reputable company directing them to scan a QR code to check on the status of their package delivery. Instead of taking the user to an authentic company website, they'll get a fake one that looks legitimate. Any username and password info submitted to the fake page goes straight to the bad actors who can use it to access sensitive information.

What is quishing?

Closeup of smartphone making mobile payment via QR code.

Phoderstock // Shutterstock

QR codes are also easy and cheap for anyone with a phone or computer to generate. The FBI reported about $150 million in losses attributable to QR code scams in the last year, sometimes referred to as "quishing."

The practice, in spirit, is the same as "phishing," where a criminal attempts to dupe their victim into revealing personal information that can be used to illicitly access sensitive platforms like banking and email accounts. In a quishing scheme, the criminal intercepts your device not with a shady email or text message but with a hyperlink to a website on your phone populated by the QR code when you scan it.

Retail payment dupes

Hand holding phone scanning QR code with blurred parking lot as background.

panuwat phimpha // Shutterstock

Numerous scams have been reported in which hackers place fake, malicious QR codes on parking meters, restaurant menus, advertisements, and other common locations for digital payments. In some cases, these methods can also steal credit card information stored on the phone used to scan the code.

Whenever you scan a QR code with your phone camera, a preview of the link will usually show up on your screen. Make sure the link looks like an official, secure website a legitimate business would host. For example, the standard protocol for secure websites requires that they begin with the string "https://" with the "s" standing for "secure."

'QRLJacking'

Hand holding black phone with QR code on the screen.

E.Va // Shutterstock

Another form of attack commonly seen by cybersecurity firms has been dubbed QRLJacking. In this scheme, the victim receives a message containing a QR code, urging them to log in to a platform the victim already uses. When the victim logs in, they're entering their credentials into a fake version of a seemingly legitimate site, giving the attacker access to their actual account.

As a technology, QR codes allow users to move very quickly to the point of purchase. Remember to slow down and assess the situation.

If you receive an unexpected notification with an accompanying QR code via text message or email, be wary of any instructions urging you to act quickly. Cybercriminals commonly employ urgency tactics because they encourage uncertainty and rushed decisions—the psychological conditions to make it easier for the victim to make a mistake such as entering personal information into a webpage without thinking twice.

Secondhand transactions

Customer using phone for payment.

Nattakorn_Maneerat // Shutterstock

While QR codes are convenient for businesses to use for mass transactions, the benefits don't outweigh the risks in a direct payment situation when buying things secondhand, for example.

Cybersecurity firm KeepNet reported a scam in which the victim was sent a malicious QR code during a Facebook Marketplace transaction. Be wary of these, as navigating directly to a trusted payment platform like Zelle or PayPal may make the most sense. If you're working in an industry particularly vulnerable to these scams, like finance or the energy sector, extra caution may be necessary.

The FBI recommends against downloading applications or making payments directly on sites linked to QR codes since they could potentially be malicious. Instead, navigate to the URL manually so that a payment can be made confidently on a trusted, known website, the agency recommends.

Fake scanning apps

A woman enters a one-time password on a two-step authentication webpage.

mgequivalents // Shutterstock

Other scams include phony QR code scanning applications that are actually malicious software, which can allow malware to be downloaded on your phone. Note that the camera app on most leading smartphones has a QR code scanning capability built in, so there's generally no need to download an additional app.

Smartphones may be even more vulnerable to malicious phishing attempts because of the sheer amount of personal information stored on them. Hackers are constantly seeking out vulnerabilities in software to exploit and steal personal information. By keeping your software up to date, you'll ensure that you have the latest version of your phone's operating system, which is the least vulnerable to scams.

Another safeguard is multifactor authentication, which provides an additional layer of security that can thwart all types of unauthorized users, including QR scammers. This feature is available for all leading email platforms, social networks, and reputable banks. It requires the user to confirm their identity by logging in with a code or prompt on a separate device after entering the password.

A criminal trying to steal personal information through a QR code may get login information, but they won't be able to get past the multifactor authentication unless they also have access to the authenticating device.

Story editing by Alizah Salario. Additional editing by Elisa Huang. Copy editing by Tim Bruns. Photo selection by Clarese Moller.

This story originally appeared on Uniqode and was produced and distributed in partnership with Stacker Studio.