Scanning Smarter: Protecting Yourself from QR Code Scams

QR codes are everywhere — on restaurant menus, product packaging, and even billboards. These convenient black-and-white squares make it easy to quickly access information or websites with a simple scan from your phone's camera. While most QR codes are harmless, their growing popularity has opened a new door for cybercriminals. Just as with phishing emails, attackers can use fake QR codes to trick you into visiting malicious sites that steal your personal information or install malware on your device. This post will explore how these threats work and, most importantly, how you can protect yourself from them.

QR codes have been in use for many years as a quick, convenient, and compact ways to redirect users to sites. We see this even in elements like my email here. The URL that is encapsulated in the QR code to reach Amazon for my recently published novel is listed beneath this message. Users find it very convenient to use a mobile device to scan the code as a quick method of getting to a site instead of using the link. In my use, I’ve listed the code as going to Amazon. Whether it’s scanned with the photo app or code scanner on the phone, the mobile device will state where it is routing that device to and will ask permission to continue.

The use of QR codes to redirect users to malicious sites provides the same convenience for an attacker. Only the attacker needs to entice subjects to scan the code. It’s very much the same challenge attackers have in phishing attacks. One advantage for the attacker is that the QR code naturally obfuscates the actual site when just viewing the code on something like a web page or email. Coupling AI techniques, attackers may be able to create better fakes and language portraying the message as legitimate.

Let’s consider some of the ways these malicious codes might be employed by a bad actor:

1. The first challenge is deploying the code in a way that might cause someone to scan and be redirected. As such, a phishing email might be needed to send the code along with a message that entices a target to scan. An attacker frequently implies a sense of urgency, like scan this now to complete your transaction to win a new phone but do it now since there are only a limited number of prizes. Don’t wait for someone else to beat you. This drives a sense of urgency and appeals to user’s desire for something for nothing.

2. Another method may be the result from a compromised store site that people may shop at. Using the same techniques performed when defacing a Web site, the QR code is added to a checkout page. This is a bit more passive and doesn’t always imply a sense of urgency. This method may target younger users between ages of 14 to 27, who are going to complete a payment transaction on their mobile device.

3. Physical QR codes as correctly sized stickers can be applied over legitimate codes to a number of places. Consider pay for parking signs or codes applied by themselves in a random way outside a place like a comic con venue, or even menu stickers placed over legitimate codes in a restaurant.

4. Physical or digital codes in an email that claim a discount will be added if the user installs an app (just scan and follow the link). Attackers like to prey on the greed nature of end users by offering a steep discount for something. This is another red flag that is as bright as the sense of urgency. We all love “something for nothing”, but does it really make sense?

These are just a few examples. Here some cyber-safety techniques.

• Parents must teach teens and kids on how to protect themselves when they scan ANY QR code. Show the kids how the device states where they are being redirected to. If the site and information doesn’t seem to match, they should abort before traveling to the site.

• Any enticement that uses a sense of urgency is an immediate red flag. A teen wants to attend a concert with friends, and they get a message claiming to either give away tickets or have them register to do win tickets, but they must do it now. This is a sign of danger.

• Signs like pay for parking that have QR codes should have the name of a site where users will be redirected. As a safe practice, use your fingernail to scrape over the top of the QR code to see if there might be something stuck on top of it. If there is, go to the site using some other method. In this same sort of situation, signs that may have a code where it claims that an app will be installed and the user will get a steep discount by using the app.

• As the use of AI by malicious actors becomes more prevalent, we must become even more vigilant. If an unsolicited message of any kind prompts a user to scan a code, it must be thought of as suspicious in nature. If the message the message can’t be confirmed by some out-of-band technique, best not scan it.

• Lastly, keep all mobile and laptop devices updated. It’s actually quite dangerous to give kids a hand-me-down device that is no longer supported by the manufacturer.

The evolution of technology always brings broader attack surfaces that attackers can leverage.