Checklist 263: Avoiding QR Code Phishing Scams
On this edition of The Checklist, we’ll discuss QR code scams. We’ll cover:
QR code scams on the rise
QR codes made a comeback last year, spurred by the COVID-19 pandemic and the need for contactless … well … everything.
You’ve seen QR codes before. They’re those little black and white squares that you scan with your smartphone. Basically, they’re just square barcodes that hold information.
QR codes can store all kinds of data, but more often than not, they just contain a link to a website that opens when you scan the code with your device and tap the screen.
In other words, QR codes are a fast, easy way to get mobile users to websites — and have become so ubiquitous over the past year that most people have been conditioned to scan them without a second thought. Predictably, this situation is now being exploited by bad actors all over the world.
QR code phishing is on the rise. What is it? Basically, it’s quite similar to other kinds of phishing. It’s a social engineering attack that tries to steal sensitive data, login details, or credit card information. But while “traditional” phishing relies on emailed links to get victims to a phishing website, QR code phishing does the same thing via, you guessed it, QR codes!
QR phishing in practice
There are tons of variations on QR code scams, limited only by the scammers’ ingenuity. Here are some examples of how the bad guys have used QR phishing to scam people:
In China, scammers put fake parking tickets on cars with QR codes for “paying” the tickets. Unfortunately, the QR codes actually routed payments to an account controlled by the scammers.
In the Netherlands, ING Bank customers fell victim to a QR scam that made use of a legitimate feature of the bank’s mobile banking app. Scammers looked for ING customers who were selling things online, asked for their account numbers in order to send them a wire transfer, and then sent them a QR code so that they could “confirm the payment”. But if they scanned the QR code, their bank accounts would be linked up to the ING banking app installed on the scammers’ device!
In Germany, folks have been getting emails from scammers pretending to be banks. The scammers tell people that they need to confirm a privacy policy or read through some new security procedures. The emails include a QR code that supposedly takes you to the web page where you can do this. But if you scan it, you’re taken instead to a phishing site that asks for your username and PIN.
In Texas, criminals have started putting malicious QR codes on city parking meters. Police in Houston, San Antonio, and Austin say that they’ve all found stickers with the fake QR codes. The stickers attempt to fool drivers into believing that they’re paying for parking online. But in reality, the QR codes link to a phishing website that steals credit card details.
How to avoid QR code scams
In today’s world, it’s not feasible to just never scan a QR code again. So what can you do to avoid QR scams? Here are six practical suggestions:
Slow down
Before you scan a QR code, take a second to think about what’s really going on. Do you know who put that QR code there? Have you ever seen a QR code used this way before? If something seems strange, trust your instinct and don’t scan that code!
Think link
It’s helpful to think of QR codes as links (and most of the time, that’s what they are!). Before scanning one, ask yourself the following question: If this was a link that had come in an email, would I trust it?
Inspect URLs
In iOS, your Camera app will show you a link preview when you point your iPhone at a QR code. Take a second to inspect the link before opening it. If the link doesn’t match the organization that the QR code says it comes from, or if it looks suspicious, then don’t go to that website!
Look for tampering
Bad guys sometimes put stickers with their own QR codes over top of legitimate QR codes. If you’re in a place that regularly uses QR codes (e.g. a restaurant), watch for signs of physical tampering that might indicate a malicious QR code.
Make a “never list”
Keep a mental list of situations in which you’d never trust a QR code. We’d suggest avoiding all QR codes that take you to sites asking for highly sensitive personal or financial data (especially anything to do with banking or credit cards). It’s also wise to avoid QR codes mailed to you in junk mail or randomly stuck on the side of a building: In these cases, you just can’t know who put the QR codes there.
Turn on 2FA
We’ve said it many times before, but two-factor authentication is one of the very best ways to keep your accounts secure. If you have 2FA enabled, then a phishing attack that succeeds in stealing your credentials still won’t result in an account compromise. We’d recommend turning on 2FA whenever possible.