FedEx delivery notifications were once a welcome sight. But now, they’re often a harbinger of potential danger.
A common QR Code scam tactic involves sending text QR Code messages disguised as package delivery notifications from reputable companies such as FedEx.
These messages trick victims into scanning malicious QR Codes, leading to potential financial loss, identity theft, and system compromise.
A recent study showed that cybercriminals increasingly use QR Codes to launch sophisticated quishing attacks. The study, conducted across 38 organizations worldwide, also revealed that QR Codes were used in phishing attacks in early October 2023 to deliver malicious payloads.
It’s time we discuss the specifics of QR Code scams, highlight cybercriminals’ common tactics, and understand essential tips for protecting ourselves from falling victim to QR Code scams.
Let’s begin.
What are QR Code scams?
QR Code scams are fraudulent schemes where criminals use deceptive QR Codes to trick people into sharing their personal information or downloading malware.
For example, scammers have placed fake QR Codes on parking meters in the UK, particularly on the Isle of Wight. When unsuspecting individuals scan these codes, they are redirected to malicious websites that can rob their personal information or infect their devices with some sort of malware.
In another possible instance, a scammer could place a fake QR Code on a public advertisement or a business card. When scanned, the code could redirect you to a malicious website that attempts to steal your private information, such as credit or debit card numbers or social security numbers.
In other words, here’s how QR Code scam works:
- Scammers create fake QR Codes.
- Victims scan the codes and are redirected to harmful sites.
- Scammers steal information or take control of devices.
QR Code scams to watch out for
Scammers are becoming quite suave in their tactics. As Amit Relan, Co-Founder and CEO of mFilterIt, an adtech & martech company, warns, “Scammers are using fraudulent emails that mimic legitimate communications from reputable companies to trick individuals into compromising their security and financial information.”
These malicious emails can lead to serious consequences, including identity theft and the installation of harmful software. Popular platforms are frequent targets, and scammers relentlessly employ various methods to deceive unsuspecting individuals.
Let’s be aware of some common QR Code scams.
1. Quishing or QR Phishing
QR Codes are easy to generate, which is why they can be misused. The FBI reported over $150 million in losses due to QR Code scams, also known as “quishing.”
Rather than using emails or text messages, quishing scams involve tricking victims into revealing personal information through QR Codes. When scanned, these codes redirect individuals to malicious websites that steal sensitive information.
Examples of what a quishing looks like.
Protip – How to prevent quishing?
- Check the sender’s domain and look for suspicious links and content.
- Be sure about the email authenticity before scanning, use your phone camera to reveal the URL, and avoid accidental clicks.
- Be cautious with third-party scanning apps (more on this below).
2. Fake scanning apps
Be cautious of fake QR Code scanning apps, as they can be malicious software disguised as legitimate tools. These apps can download malware onto your phone, compromising your device and personal information.
In fact, you don’t need a third-party QR Code scanning app because most leading smartphones have built-in QR Code scanning capabilities within their camera apps. There’s typically no need to download a separate app, which can potentially introduce security risks.
Pro-tip – how to protect yourself from fake scanning apps?
- Regularly update your phone’s operating system to address vulnerabilities.
- Enable 2FA or Multi-Factor Authentication.
3. Digital payment scam
Another scam tactic involves replacing legit QR Codes with malicious ones on parking meters, restaurant menus, and other public places. When unsuspecting individuals scan these fraudulent codes, they may unknowingly compromise their financial information.
Renowned digital identity expert David Birch shared a cautionary tale about his sister’s experience with a QR Code scam.
During a visit, she parked her car in a public car park and opted to pay via a QR Code for convenience. However, the QR Code led her to a fraudulent website, where she unknowingly entered her debit card details.
Fortunately, she realized the scam before significant damage was done and was able to alert her bank.
Protip
Before proceeding with a payment, carefully examine the URL displayed on your phone. Legitimate websites typically use the “https://” protocol, indicating a secure connection.
4. Resale transactions
While businesses frequently use QR Codes for mass transactions, caution is advised for second hand purchases. Cybersecurity firm KeepNet reported a scam in which a victim received a malicious QR Code during a Facebook Marketplace transaction.
To minimize risks, consider using trusted payment platforms such as Zelle or PayPal. Industries like finance and energy, which are particularly vulnerable to such scams, should exercise extra caution.
The FBI advises against downloading apps or paying directly from QR Code links. Instead, manually navigate to trusted, known websites to ensure secure transactions.
5. QRLJacking
Cybersecurity firms have identified a new type of QR Code scam called “QRLJacking.” In this scheme, victims receive a message containing a QR Code that directs them to a fake login page for a familiar platform. When individuals enter their credentials on this fraudulent site, they unknowingly grant access to their real accounts.
Protip
To avoid falling victim to QRLJacking, you must exercise caution and slow down. If you receive an unexpected notification with a QR Code, resist the urge to act hastily. Cybercriminals often use urgency tactics to exploit human psychology and trick victims into making mistakes.
How to protect yourself from QR Code scams
So far, we’ve explored the various tactics employed by cybercriminals to exploit QR Codes. Now, let’s look into practical steps to protect yourself from these threats.
Verify the domain name
Before scanning, look for a preview of the URL displayed on your phone. This typically appears as a notification. Make sure the domain name seems legitimate. If it’s a familiar brand, look for their official domain (e.g., qr.nike.com) or a secure QR Code generator (e.g., qrcodes.uniqode, qr.tapnscan.me). If the domain is suspicious, avoid scanning.
Say no to third-party apps
Most modern smartphones have built-in QR Code scanning capabilities within their camera apps. These native apps are typically the safest option. If you have an older phone and need a dedicated app, research and download only from trusted app stores, prioritizing those with high user ratings. Check out the best QR Code scanner apps here.
Know your source and check for tampered QR Codes
Be cautious of random and tampered QR Codes plastered on walls or public spaces. Opt for codes displayed on product packaging, business print material, or official company websites. These are generally more reliable sources.
Stay updated, stay secure
Keeping your smartphone’s operating system updated is essential. These updates include security patches that protect you from potential vulnerabilities.
Secure payment verification
When using a QR Code for payments, verify the website’s security upon landing. Scout for a padlock icon in the address bar, indicating a secure connection (HTTPS). You can usually click this icon to find the website’s security certificate details. This encryption ensures your information travels safely between you and the website, preventing unauthorized access.
Check the design and branding
Legitimate QR Codes include brand elements such as logos and color schemes. Exercise caution if a QR Code lacks branding or has a generic design. Additionally, the website the QR Code leads to should align with the brand’s identity, including its logo, color scheme, and overall design.
Protecting yourself after a QR Code scam
If you suspect you’ve fallen victim to a QR Code scam, take immediate action to minimize potential damage:
Secure your accounts
- Change the passwords for all your online accounts, especially those that involve sensitive information like banking or social media.
- Enable two-factor Authentication & multi-factor authentication.
Contact your bank
- Notify your bank immediately about the potential scam. Provide them with as much detail as possible, such as the website or app where you encountered the QR Code.
- Monitor your bank accounts closely for any unusual activity.
Protect your identity
- Sign up for identity theft protection software such as McAfee. This service can help monitor your credit reports, alert you to suspicious activity, and provide assistance in case of identity theft.
- Regularly check your credit reports and bank statements for any unauthorized transactions.
Verdict – QR Code scams are no joke
QR Codes have changed how we operate on a daily basis, providing convenience at our fingertips. But this convenience comes with a hidden cost – cyber risk. As cybercriminals exploit this technology, it’s important to stay vigilant. So, prioritize QR Code security, question its authenticity, avoid suspicious links, and keep your devices updated. Thwart these attacks and protect yourselves financially and emotionally. Let’s not let convenience compromise security.