The list of ways that hackers are trying to separate you from your money or your data is seemingly endless, and now you can add the QR code to that list. The use of malicious codes has spiked in recent months, and the consequences can be dire. Here’s what’s happening and how to avoid being scammed:
QR codes have been around for a quarter century or more, but their use spiked during the pandemic as restaurants needed to deploy contactless menus. Even as those restrictions have eased, QR code use has remained a constant since it’s cheaper to update a digital menu than a printed one. And of course, restaurants are far from the only places you’ll encounter QR codes.
While this might seem more of an issue for individual users than for businesses, infected devices often explore the networks they’re connected to, looking for opportunities to infect other devices or to lock down data in a ransomware scheme.
The scams
First, understand that the codes themselves are not malicious. A QR code is just what it appears to be: a convenient shortcut to a website. It’s the destination that’s the problem in a hacking scheme, and there’s no shortage of methods to try to fool you.
Some hackers are placing phony QR code stickers over the legitimate codes on parking meters or restaurant menus. Others are sending phony sweepstakes entries via snail mail, or even having packages sent to victims from Amazon with a QR code inside to initiate a return. There are also malicious QR code scanner apps that will load your device with malware. And email remains a favorite means of delivery, often spoofing major retailers and containing a message that a recent purchase couldn’t be completed.
The dangers of malicious QR codes
Many phony codes will take the user to a phishing website that resembles the intended destination. These sites will in some way attempt to fool you into entering payment information, but some will simply infect your device with malware, while others might take over your email account and send emails that appear to be from you.
The bad guys have even gone so far as to set up fraudulent COVID testing centers with QR codes designed to capture not only payment information but Social Security numbers and medical insurance information.
How to spot a scam
Use your eyes. Does the code you’re about to scan appear to be original and in a place where you’d expect it to be? Look carefully for a sticker that might have been placed over the original code.
Use your camera only. You don’t need a QR code scanning app, only the camera on your phone. As noted, these apps are often malicious. Warning signs include multiple permission requests, or apps that need an update as soon as they’re installed. That update is likely to be malicious code.
Look before you click … and after. Your phone will show a preview of the URL you’re about to visit. Read it carefully, and make sure you’re headed for the domain you were expecting to visit. Once you’re on the page, look closely for typos, misspellings or syntax that doesn’t look right. Is the page professionally designed or does it look like it was just slapped together? Finally, any legitimate site’s URL should begin with the https:// (secure) prefix and display a padlock.
Questions about cybersecurity for your business? Contact Hill Tech Solutions.