Over the last few years, QR codes have gained popularity in everyday life and are used practically everywhere. Especially; since the start of COVID when restaurants and drinking establishments had to stop using their physical menus.
With the increase of use, Cybercriminals saw an opportunity to use them to their advantage. They started to make their own and put them in websites, emails, and even outside of Cyberspace. While the person scanning the square on their phone camera was non-the wiser and typing in personal information or their banking information. “Anytime new technology comes out, cybercriminals try to find a way to exploit it,” said Angel Grant, vice president of security at F5, an app security company. That’s especially true with tech like QR codes, which people know how to use but might not know how they work, she says. “It’s easier to manipulate people if they don’t understand it.”
While scanning the fake QR codes won’t do anything to your phone, such as download malware in the background. Instead, it will take you to scammy websites designed to get a bank account, credit card, or other personal information.
Like any other phishing scheme, it’s impossible to know exactly how often QR codes are used for malicious purposes. Experts say they still represent a small percentage of overall phishing, but numerous scams involving QR codes have been reported to the Better Business Bureau, especially in the past year.
Most recently, the FBI issued a warning advising consumers to think before they scan potentially sketchy QR codes. Many people know they need to be on the lookout for phishing links and questionable attachments in emails that claim to be from the bank or a subscription. However, many don’t think to be on the lookout when scanning a QR code with your smartphone camera isn’t second nature for most people.
Recently in Austin, Texas, these fake codes appeared on parking meters. They lured people to scan them leading them to a site that impersonated the actual one where they inserted their financial information thinking they paid for parking. Police do not know the number of people who were duped by this scam.
Tips from the experts
Think before you scan. Be especially wary of codes posted in public places. Take a good look. Is it a sticker or part of a bigger sign or display? If the code doesn’t look like it fits in with the background, ask for a paper copy of the document you’re trying to access or type the URL in manually.
When you do scan a QR code, take a good look at the website it led you to, Haas recommends. Does it look like you expected it would? If it asks for login or banking information that doesn’t seem needed, don’t hand it over.
Codes embedded in emails are almost always a bad idea. Take Haas’ advice and skip these entirely. The same goes for codes you receive in unsolicited paper junk mail, such as those offering help with debt consolidation, Grant says.
Preview the code’s URL. Many smartphone cameras, including iPhones running the latest version of iOS, will give you a preview of a code’s URL as you start to scan it. If the URL looks strange, you might want to move on.
Better yet, Ansari recommends using a secure scanner app, which is designed to spot malicious links before your phone opens them.
But stick to the well-known security companies, he says. Malicious QR scanning apps designed to scrape user information have made it into the app stores in the past.
Use a password manager. As with all kinds of phishing, if a QR code takes you to an especially convincing fake website, a password manager will still know the difference and won’t autofill your passwords, Haas says.