QR Codes (Quick response codes) have been around since 1994. They were originally used by the auto industry to assist in the manufacturing process.
QR codes are now used in a variety of ways both commercially and personally. They became more popular during the pandemic fueled by the need for contactless, touch free communication.
Places that use them include restaurants, healthcare facilities, sports arenas, advertisers, libraries and museums, stores, automotive companies and travel and event venues.
While they are very useful there are risks involved. Whenever something becomes popular cybercriminals look for ways to exploit users and steal their information.
Thieves are using QR codes to conduct QRishing scams which are similar to phishing scams. Scammers create their own QR codes and when a user scans the code it directs them to a website where they are tricked into entering payment information, usernames, passwords and other personal details that lead to theft. Some websites do drive-by downloads, so just visiting the site can result in a malware infection. Scammers can place QR codes anywhere. This can be a physical location or digitally including websites and email.
Cybercriminals can swap out a legitimate QR code for a malicious one. This can lead to malware being installed on your smartphone, once malware has been installed cybercriminals can gain access to your phone and steal your personal information which can result in financial fraud, data theft, identity theft and account takeovers.
Examples of where you might find QR codes
Restaurant menus
Bus stops, train stations and subway stations
Museums and libraries
Grocery stores and retail outlets
On product packaging
For sale and real estate signs
At the bottom of printed magazine and newspaper articles
Invitation and RSVP cards
Billboards
Movie posters
Business cards and brochures
Paying at stores or online
Digital coupons
Social media
Resumes or LinkedIn profiles
Advertising
To access Wi-Fi by saving details such as SSID, password, and encryption type
Digital user manuals and instruction guides
Event ticketing and information
These are just a few examples of physical and digital QR codes. Anyone can create a QR code and the uses are endless.
How To Protect Yourself
The QR codes themselves are not dangerous, it is where the QR code directs you than can be problematic.
Don’t scan QR codes sent in an email message or posted on social media.
Enable multifactor authentication on all your financial, email and other confidential accounts.
Use QR codes to pay only at trusted merchants and providers.
When visiting a website check the web address to be sure it is legitimate. Look for misspellings in the address. Secure sites start with https.
Don’t scan QR codes to enter sweepstakes or participate in surveys.
Don’t use a QR code to download an app, instead get the app directly from the Google Play or Apple App store.
Don’t scan QR codes in a public place or anywhere they can be easily tampered with.
Don’t scan codes on unexpected packages. A scam known as “brushing” is when you receive a package you never ordered. These deliveries can contain malicious QR codes.
It is almost certainly a scam if a QR code directs you to a website that requires you to log in or asks for any kind of personal information.
Avoid using a QR code to pay bills or invoices. Instead, use more secure payment options.
If it is a physical QR code look for signs that the QR code has been tampered with such as a sticker placed over the true QR code.
Don’t download QR code apps as many are fraudulent, instead use your phones camera to scan.
Install an antivirus app on your smartphone.
Update your smartphones operating system when prompted to do so. Updating ensures your phone is up to date with the most current security features.
Since QR codes are relatively new for most of us we are more vulnerable to being exploited by them. Not enough research has been done to deal with QRishing. Use QR codes with caution until we learn more.
The Tech Minimalist 