Cybercriminals are constantly looking for new ways to exploit victims and with the rise of QR codes during the COVID-19 pandemic, came an equal rise in the prevalence of QR code scams worldwide. QR codes are used by many different types of establishments as a quick way to pay a bill or be lead to a website. They became particularly popular during the pandemic as a way to stop the spread of germs by using them instead of menus in restaurants.
Cybercriminals have taken advantage of this newly popular technology by replacing trustworthy QR codes with malicious ones that infect devices or divert users to a phishing website that appear legitimate to entice users into handing over personal information. With anti-phishing platform TitanHQ estimating that 84% of smartphone users have scanned a QR code at least once, and over 34% scanning one at least once a week it, anyone could be a victim. However, there are a few preventative measures that can be taken to not become a victim of this new crime.
What are QR Codes?
Quick Response (QR) codes work by embedding instructions in a black and white ‘dot square’ that can be scanned by smartphones and other devices. Once scanned, a link will pop up that could lead to websites, videos or apps. QR codes can be considered as an evolution to barcodes seen in supermarkets, except instead of transferring data of a product to a cashier, they lead the user to websites and other multimedia.
Types of QR code scams and how they are being used maliciously
There are two main ways that QR codes are being used maliciously. First, is the use of drive-by downloads. This is when the link associated with the malicious QR codes begins to download malware onto the device without the user being aware. There are three main purposes to this:
As this form of QR code scams gives no warning, does not entail entering any personal information and gives the bad actor access to the device and its files, it can be seen as the most harmful type of QR code scam. It is therefore imperative to follow the guidelines below when engaging with a QR code to prevent becoming a victim.
Quishing is a mash-up of the words QR codes and email phishing and works much like phishing scams in emails or by text that have been around for many years. By replacing a legitimate QR code, or attaching a fake QR code to a trustworthy brand or entity, the user is tricked into trusting the link and entering personal information. Fake QR codes have been seen in restaurants, emails impersonating reputable organisation like Microsoft Office and on fake-but-trustworthy-looking bank leaflets proving that no entity is safe from the possibility of its name being used in QR code scams.
In Texas, bad actors used stickers with fraudulent QR codes on parking metres to trick drivers into thinking they could pay for their metre fair through a ‘Quick Pay Parking’ website. In reality there was no way to pay the metre online and cybercriminals were logging people’s credit card information to be used for malicious purposes. Bad actors will go to great lengths to make a phishing website appear legitimate by using the same colours, branding and a similar looking link. At first glance, the website may look like the genuine website that the user would expect, however steps, like those below, should be taken on any website when entering personal information, especially those websites found through QR codes.
How to be safe when using QR codes
The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.
The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.
Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!