Cybercriminals are increasingly using malicious QR codes to trick consumers.
The pandemic fueled a surge in the use of QR codes. Seeking to cut down on possible transmission, restaurants replaced physical menus available to all customers with online versions accessible on your own personal phone. Scan that little square and you’ll find out what the house special is.
Cybercriminals quickly took note and are starting to exploit the technology’s undeniable convenience. Scammers are creating their own malicious QR codes designed to dupe unwitting consumers into handing over their banking or personal information.
“Anytime new technology comes out, cybercriminals try to find a way to exploit it,” said Angel Grant, vice president of security at F5, an app security company. That’s especially true with tech like QR codes, which people know how to use but might not know how they work, she says. “It’s easier to manipulate people if they don’t understand it.”
QR codes — the abbreviation stands for “quick response” — were invented in Japan in the 1990s. They were first used by the automotive industry to manage production but have spread everywhere. Websites and apps have cropped up that let you make your own.
Now they’re being exploited by cybercriminals in a spin on an email phishing scam. Scanning the bogus QR codes won’t do anything to your phone, such as download malware in the background. But it will take you to scammy websites designed to get bank account, credit card or other personal information.
Like any other phishing scheme, it’s impossible to know exactly how often QR codes are used for malicious purposes. Experts say they still represent a small percentage of overall phishing, but numerous scams involving QR code have been reported to the Better Business Bureau, especially in the past year.
Most recently, the FBI issued a warning advising consumers to think before they scan potentially sketchy QR codes.
Many people know they need to be on the lookout for phishy links and questionable attachments in emails that purport to be from the bank. But thinking twice about scanning a QR code with your smartphone camera isn’t second nature for most people.
Taking advantage of unsuspecting motorists might have been behind the nearly 30 malicious QR code stickers recently found on parking meters in Austin, Texas, which uses QR code technology to let drivers pay for parking online.
Instead of being taken to the city’s authorized website or app, however, motorists who scanned the scam stickers were led to a fake website that collected their credit card information.
Police don’t know how many people were duped. The department encourages anyone who thinks they may have had their credit card information stolen by the fake website to contact them.
Austin isn’t the only city to experience bogus QR code scams. Officials in San Antonio, Texas, about 80 miles away, issued a warning after spotting similar stickers connected to a fake parking payment website.
QR codes take people from the physical world to the online one. That’s why it makes sense to use them in scam stickers, as well as paper junk mail, said Brad Haas, cyber threat intelligence analyst for Cofense, an email security company. It gets people online that weren’t already.
Haas says scam QR codes are also starting to show up in phishing emails and online ads, a tactic that leaves him scratching his head. “There’s really no reason for someone to pull out their phone and scan a QR code that’s in an email they’re already looking at on their laptop,” Haas said. After all, the recipient is already online with their laptop. Why would a legitimate sender want them to connect with a second device? For that reason, consumers should regard any email containing a QR code with suspicion, he says.
Still, the phony codes show up in phishing emails, though not as often as tried-and-true tactics, like attachments containing viruses or links to scam websites. Cofense recently spotted a phishing scam targeting German speakers that included a QR code in an attempt to lure mobile banking users.
Hackers may like using QR codes in phishing emails because they often aren’t picked up by security software, giving them a better chance to reach their intended targets than attachments or bad links, says Aaron Ansari, vice president for cloud security at the antivirus company Trend Micro.
Even if the success rate is lower, it’s a lot easier to send out millions of phishing emails than it is to physically place stickers on parking meters and bus stops.
What it boils down to is that QR codes are just one more way for cybercriminals to get what they want and yet another threat people need to be on the lookout for.
“There are so many ways for you to be compromised these days,” Ansari said, “but it only takes one.”
Tips from the experts
Think before you scan. Be especially wary of codes posted in public places. Take a good look. Is it a sticker or part of a bigger sign or display? If the code doesn’t look like it fits in with the background, ask for a paper copy of the document you’re trying to access or type the URL in manually.
When you do scan a QR code, take a good look at the website it led you to, Haas recommends. Does it look like you expected it would? If it asks for login or banking information that doesn’t seem needed, don’t hand it over.
Codes embedded in emails are almost always a bad idea. Take Haas’ advice and skip these entirely. The same goes for codes you receive in unsolicited paper junk mail, such as those offering help with debt consolidation, Grant says.
Preview the code’s URL. Many smartphone cameras, including iPhones running the latest version of iOS, will give you a preview of a code’s URL as you start to scan it. If the URL looks strange, you might want to move on.
Better yet, Ansari recommends using a secure scanner app, which is designed to spot malicious links before your phone opens them. His company, Trend Micro, offers a free one, as do some of the other big antivirus companies.
But stick to the well-known security companies, he says. Malicious QR scanning apps designed to scrape user information have made it into the app stores in the past.
Use a password manager. As with all kinds of phishing, if a QR code takes you to an especially convincing fake website, a password manager will still know the difference and won’t autofill your passwords, Haas says.