QR codes have become ubiquitous in our daily lives, appearing on flyers, restaurant menus, product packaging, and business cards, but do users too readily assume they are always safe to scan?
With the prevalence of QR codes, comes an increased concern around QR code scams– a topic that is not covered as frequently as it should be given the potential threat these seemingly innocuous codes can pose.
What has been widely accepted as an efficient and commonplace way to point your device to a link can become dangerous if the code was not generated by a trustworthy source. So, let’s discuss QR codes, QR code scams, and whether you might want to simply avoid scanning them entirely when possible.
How do QR code scams work?
Typically, attackers will disguise their code in some way to help it appear legitimate.
Companies do use QR codes for a variety of applications, so it’s easy enough to place a duplicate code over one used on a restaurant table or advertisement. You might also find malicious flyers or stickers masquerading as a seemingly innocuous guerilla marketing campaign.
There have even been reports of authorities finding QR codes posted on parking meters, or pay-to-park signs to fool victims into handing over their credit card information.
Example QR code scam
A QR code scam using fake parking tickets was recently discovered in San Francisco. Once scanned, the destination site was a very convincing spoof of a real San Francisco transit page.
Can you tell which one is real?
How do QR code scams work?
QR codes can contain a variety of information like links to websites, email addresses, phone numbers, and even payment information. However, some QR codes can be malicious and can expose the user to malicious websites or initiate harmful actions, like phishing attacks, malware downloads, or identity theft.
Phishing
QR codes can direct users to phishing sites by exploiting their initial trust.
Malicious codes often contain shortened URLs. This masks the actual destination of the URL, making it difficult for users to identify if it leads to a legitimate website or a phishing site. Scanning the code might redirect users to a phishing website designed to look like a real company’s login page—think banks, credit cards, apps, or subscription services.
If the user fails to notice that they have arrived at a spoof login page, they may fall for the scam and enter their username and password, granting the scammer access to their account.
Similarly, scanning a malicious QR code can trigger a download of a fake application that mimics a popular service or company as well. Once installed, the app will typically attempt to deceive users into entering sensitive information in the same way.
Scammers usually entice victims into scanning a code with the promise of a discount or special offer. On the other hand, some companies will use real QR codes to sign you up for an email list or register you for an event.
If you are unsure and want to test the legitimacy of an offer extended to you via QR code, it’s best to skip scanning the code and navigate to the service on your own to ensure you are accessing the real app or site.
Malware
While many QR code scams end with the user handing over sensitive information via phishing sites or apps, malware infection can be a concern here as well.
Let’s be clear, simply scanning a QR code cannot infect your phone with malware. However, if the content behind the QR code, such as a website or app prompts the user to initiate a download, it could potentially expose your device to malicious software.
Malware can take over your device, steal your data, and even spy on your activities. By scanning an unknown QR code, users can be duped into installing malware onto their own devices, leading to serious security and privacy issues.
What happens if you scan a malicious QR code?
If you scan a malicious QR code, the risks can vary greatly from pranks or unwanted email subscriptions to serious financial scams.
Here are some potential threats you may face:
- Unwanted subscriptions: QR codes can subscribe the user to an unwanted service or email marketing list, and even incur unwanted charges.
- Financial fraud: Scanning an untrustworthy QR code can lead to financial fraud, where cybercriminals can access your credit card details or bank account information and use it for fraudulent transactions.
- Malware infections: Some QR codes may contain malware that can infect your device, leading to data theft, system crashes, and other issues.
- Phishing scams: A QR code can also lead to phishing scams, where cybercriminals can harvest valuable user information.
- Identity theft: Scanning untrustworthy QR codes can also lead to identity theft, where cybercriminals can steal your personal information, including your name, address, and social security number.
What to do if you scanned a malicious QR code?
If you’re suspicious of a QR code you scanned, try and take a closer look at the destination URL. This is the best way to check if a QR code is safe or identify a fake QR code in the first place.
We have a detailed guide to double-checking links available if you need some guidance with this step!
If it seems like the link you followed leads to a spoof site or is otherwise malicious, of course, don’t click on anything and navigate away. In the event you already entered login credentials or personal data, be sure to change your password for the site or service in question ASAP.
If the site in question is asking you to download an app, don’t. Head to your phone’s app store, and download the app directly from there. If it’s already too late, try to follow these steps to ensure that your device is free from any malware.
Should you scan QR codes at all?
The truth is, users need to be cautious when scanning QR codes. We often let our guard down around this seemingly innocent technology, but it’s important to remember the risks that a QR code scam can expose you to.
While these concerns exist, it’s important to note that not all QR codes are malicious or harmful. Many legitimate uses of QR codes can be convenient ways to access information quickly. Simply being cautious and aware of potential risks is always advisable when interacting with unfamiliar QR codes.
In other words, think before you scan! Be sure to stick to QR codes from trusted sources and be extra wary if you do decide to scan a code of unknown origin.
If you have any questions at all about this article, be sure to drop us a line! We’ll be happy to help however we can.