Cybercriminals are constantly looking for new ways to exploit victims and with the rise of QR codes during the COVID-19 pandemic, came an equal rise in the prevalence of QR code scams worldwide. QR codes are used by many different types of establishments as a quick way to pay a bill or be lead to a website. They became particularly popular during the pandemic as a way to stop the spread of germs by using them instead of menus in restaurants.

Cybercriminals have taken advantage of this newly popular technology by replacing trustworthy QR codes with malicious ones that infect devices or divert users to a phishing website that appear legitimate to entice users into handing over personal information. With anti-phishing platform TitanHQ estimating that 84% of smartphone users have scanned a QR code at least once, and over 34% scanning one at least once a week it, anyone could be a victim. However, there are a few preventative measures that can be taken to not become a victim of this new crime.

What are QR Codes?

Quick Response (QR) codes work by embedding instructions in a black and white ‘dot square’ that can be scanned by smartphones and other devices. Once scanned, a link will pop up that could lead to websites, videos or apps. QR codes can be considered as an evolution to barcodes seen in supermarkets, except instead of transferring data of a product to a cashier, they lead the user to websites and other multimedia.

Types of QR code scams and how they are being used maliciously

Drive-by Downloads

There are two main ways that QR codes are being used maliciously. First, is the use of drive-by downloads. This is when the link associated with the malicious QR codes begins to download malware onto the device without the user being aware. There are three main purposes to this:

1. Spy on device activity – to see what websites are used and spy on what is typed in to steal personal information such as credit card data and address information
2. Hijack the device – to further infect the device that scanned the QR code or infect other devices
3. To disable the device or ruin data – this is simply to cause trouble and personally harm the user

As this form of QR code scams gives no warning, does not entail entering any personal information and gives the bad actor access to the device and its files, it can be seen as the most harmful type of QR code scam. It is therefore imperative to follow the guidelines below when engaging with a QR code to prevent becoming a victim.

Quishing

Quishing is a mash-up of the words QR codes and email phishing and works much like phishing scams in emails or by text that have been around for many years. By replacing a legitimate QR code, or attaching a fake QR code to a trustworthy brand or entity, the user is tricked into trusting the link and entering personal information. Fake QR codes have been seen in restaurants, emails impersonating reputable organisation like Microsoft Office and on fake-but-trustworthy-looking bank leaflets proving that no entity is safe from the possibility of its name being used in QR code scams.

In Texas, bad actors used stickers with fraudulent QR codes on parking metres to trick drivers into thinking they could pay for their metre fair through a ‘Quick Pay Parking’ website. In reality there was no way to pay the metre online and cybercriminals were logging people’s credit card information to be used for malicious purposes. Bad actors will go to great lengths to make a phishing website appear legitimate by using the same colours, branding and a similar looking link. At first glance, the website may look like the genuine website that the user would expect, however steps, like those below, should be taken on any website when entering personal information, especially those websites found through QR codes.

How to be safe when using QR codes

• Check for signs that the QR code has been tampered with – Cybercriminals may cover or replace a legitimate QR code with a fraudulent one on restaurant tables, napkin holders, flyers and posters for example. Ensure the QR code has not been stuck on and is not a movable object that could be easily replaced.
• Be extra cautious of QR codes in public places or in the mail – These QR codes could have been placed there by a bad actor. Scanning QR codes in public places or ones that have come through the mail should be avoided as much as possible.
• Always look at the link before opening it in a browser – After scanning the QR code but before clicking on the link, analyse the URL. Make sure the link correlates to the subject it is for and be wary of shortened links. If the link displayed does not feel legitimate, type out the URL into a browser if it is known.
• Check the website for signs it is illegitimate – Look for the associated branding, the lock next to the website URL in the browser that indicates it is secure, and that the grammar and language is correct. If at any point the website feels off, do not enter any personal details.
• Keep devices up to date – Cybercriminals will take advantage of devices that have not been updated with the latest software which keeps smartphones and other devices protected. Having up-to-date software can protect devices from potential harmful scams.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

References

https://www.express.co.uk/finance/personalfinance/1673689/qr-code-scam-how-to-avoid-expert-tips-crypto-scams

https://www.repubblica.it/economia/diritti-e-consumi/diritti-consumatori/2022/11/06/news/la_truffa_parte_da_un_qr_code_e_la_nuova_frontiera_del_phishing-372415799/

https://mashable.com/article/beware-qr-code-scams

https://www.aura.com/learn/fake-qr-code-scams

https://www.mcafee.com/blogs/mobile-security/be-on-the-lookout-for-a-new-wave-of-qr-code-scams/

https://news.italy24.press/business/202673.html

https://www.securitymagazine.com/articles/97949-qr-code-phishing-scams-target-users-and-enterprise-organizations

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.