Think Twice Before Scanning That QR Code

QR codes — short for Quick Response codes — are everywhere these days, on the tables at restaurants, on posters, print and electronic advertising, and even during TV programming and commercials.

By training your smartphone camera on one, you’ll get a prompt to click to open a web page, typically one for the company behind the QR code. But now, even these are prone to misuse and if one of your employees scans a bogus one, the scammers can potentially steal funds and business or personal data.

The FBI recently issued a warning, stating that criminals are using tampered codes to redirect customers to malicious sites that could access your firm’s sensitive data. They can send the code through e-mail as promotion codes.

They also may paste the tampered code on the original one, such as parking meters, flyers, or a restaurant table where the original code would bring up the menu.

According to the FBI, criminals are using malicious QR codes in two ways:

  • When scanned, the code takes you to an imposter phishing website trying to trick you into logging in, hoping that you will use an existing username and password, or share other personal or banking information.
    The QR code releases malicious code — such as malware, ransomware and trojans — onto your phone, allowing criminals to track information from your phone and even lock you out of the device and only releasing it if you pay up.
  • The QR code can compose pre-written e-mails and send them from your account. These e-mails are often new phishing e-mails aimed at getting your contacts to open and click on malicious links. Scammers can also program the codes to open payment sites and follow social media accounts. 

Worse still, QR codes are easy to create with a number of free online tools. This makes the codes easy for businesses to use — but it’s also easy for scammers to take advantage of them.

Prevention

You may want to circulate an e-mail to your staff that use company devices or their own devices for work, telling them how they can identify potentially dangerous QR codes.

According to cyber security firm Aura, the most common scams are:

  • QR code scams on parking meters and other contactless payments.
  • QR codes sent in phishing e-mails (failed payments, credential phishing, etc.).
  • Tampered QR codes in restaurants.
  • Fake QR codes sent through the mail (surveys, sweepstakes, etc.).
  • QR codes on unexpected package deliveries.
  • QR codes at sham COVID-19 testing centers.
  • QR codes sent over social media (hacked accounts).
  • Cryptocurrency QR code scams.
  • Fake QR code scanner apps that download malware.

Rather than avoid QR codes entirely, learn how to identify the common signs indicating that you’re dealing with a fraudulent QR code.

Train your workforce

Aura and technology news site Techtarget recommend training your staff in the following:

Avoid opening QR codes in e-mails or regular mail — Train your employees not to scan QR codes they receive in e-mails. Send them straight to your trash folder and notify the IT department. Also avoid scanning QR codes in other mail.

Avoid log-in pages — If a QR code takes you to a log-in page, do not enter your credentials.

Look for signs of tampering — Scammers may print their own QR code stickers and paste them over legitimate ones. Check to see if the code is on a sticker above another one, or if there are signs it has been tampered with.

Preview the URL before following the QR code — The little box that opens up when you scan a QR code will include text identifying the site to which it will direct you. Check whether the URL seems safe, or with your waiter if you’re at a restaurant. Beware of an URL that doesn’t look complete or if you can’t read it.

Check the site for signs it’s not legit — There are often signs that you’ve landed on a phishing site: words are misspelled or the text has typos or odd grammar that is clearly not written by a native English speaker. The design may be shoddy and the images low resolution.

Additionally, the URL may be unsecure (secure sites start with https: and will display a padlock icon). Be wary of sites that start with http:.

Exercise caution with QR codes in public places — These codes may have been placed there by a scammer. You may want to completely avoid scanning these codes to be safe, especially if it’s for a product or deal that seems too good to be true.

IT department actions

Your IT and/or security team should also ensure that:

Security software is up to date — Make sure that users are running the latest security software on any mobile device that has access to corporate resources. The software should be able to protect against device takeover attacks, phishing attacks and other mobile device exploits.

MFA is implemented across the organization — Implement multifactor authentication requirements across your company as an interim measure, and then gradually work on adopting an authentication solution that does not rely on passwords.

Many QR code-based attacks are designed to trick users into entering their passwords so that cyber criminals can steal their credentials. If you can eliminate the need for passwords, you can greatly reduce the success rate of these attacks.