When was the last time you scanned a quick response (QR) code? Was it today or sometime this week? Chances are, your response falls into one of these categories. Unless, of course, you don’t own a smartphone.
QR codes are commonly used and are an easy and convenient way to access online information. Due to the growing usage of QR codes, QR code scanners are now built into smartphones. Predominantly, QR codes are used to make payments in stores, access paperless restaurant menus, and fill in feedback forms.
In 2022, about 89 million people in the United States used their smartphones to scan QR codes, which is 26% more than in 2020. The number of people using the QR code scanners on their phones is expected to keep growing and reach over 100 million users in the U.S. by 2025.
However, despite all its benefits, like any other online tool, QR codes come with their share of security issues.
The gray area of QR codes
Generating QR codes isn’t rocket science. These codes can be generated in a couple of minutes from dozens of free websites online. The easy-to-generate, accessible nature of QR codes is what makes them enticing for cybercriminals. They are so prevalent these days that a new term, quishing, has been coined for malicious QR codes that redirect to fraudulent sites.
Moreover, when a QR code is tampered with, it’s hard to distinguish the genuine QR code from the malicious one. All QR codes, tampered with or not, look similar. So, when you glance at them before scanning, there’s little to no way you can find out if it’s malicious.
You might come across them in restaurants, parking areas, phishing emails, and even on social media. Cybercriminals can embed fraudulent websites and post these QR codes practically anywhere. Hence, you must exercise caution when scanning these QR codes, especially when they come from untrustworthy sources.
Essentially, these cyberattacks aim to steal your personal information, especially your banking details. They often create a sense of urgency, prompting you to act quickly. For example, you might be redirected to a fraudulent site claiming that your device has been compromised, and it will falsely request you to download an application claiming to clean the system. However, in reality, it steals personal information from your phone.
The growing list of QR code scams
In the UK, drivers fell victim to a scam, losing around £60 each from their accounts while scanning QR codes for parking. Subsequently, they were advised against using QR codes for parking payments. Reportedly, the country witnessed a significant increase in QR code scams, rising from 12 in 2020 to more than 400 in the first nine months of 2023.
In another incident, a 71-year-old victim was scammed of thousands of pounds at the train station’s parking lot. Criminals covered the legitimate QR code with a fake one, redirecting her to a fraudulent site that requested her card information. What is particularly alarming is that even though the bank had blocked the payments identifying suspicious activity, the criminals called her, posing as bank staff, and managed to take out a loan within 20 minutes as soon as they gained access to her account.
The police in several U.S. cities have also advised residents against using QR codes attached to parking meters for payment. Scammers have placed these codes to redirect individuals to bogus websites to steal their payment details.
Between 2017 and May 31, 2023, there were 20,662 registered cases, accounting for 41%, related to QR codes, malicious links, or debit/credit card fraud in Bangalore, India.
Identifying bogus QR codes isn’t easy, but here are a few tips to help you spot them before it’s too late.
Be cautious while scanning QR codes in public places. It’s okay if you’re using them in familiar locations. Otherwise, it’s better to avoid scanning QR codes, as scammers might tamper with those posted in public places and stick malicious codes onto them. Be extra careful when scanning QR codes in public places and look for any signs of tampering.
Check the redirected link on the QR code before clicking on it. If it is a shortened URL, the chances of it being malicious are higher.
Avoid downloading apps from QR codes, as these applications might aim to steal confidential information, including your contacts and card details. Always make it a practice to download apps from the App Store or Google Play Store.
Scammers often don’t put in the extra effort to make websites error-free and create a sense of urgency for victims to react quickly. Similar to other phishing scams, look for grammatical errors in the website redirected from the QR code, especially when there’s an offer that sounds too good to be true in exchange for personal information.
QR code scams are on the rise, and it’s crucial for everyone to be aware of how scammers may attempt to deceive. These phishing scams are designed to steal personal information. Therefore, any request for personal information should be approached with caution. Always double-check the redirected link, watch for signs of tampering, avoid downloading apps from QR codes, and be vigilant for grammatical mistakes. It’s better safe to be safe than sorry.