Fake QR Code scams are everywhere, and QR Code scammers are coming up with new ways to trap users. A TikTok user recently posted about how his friend got scammed after scanning the ParkMobile parking app. These fake parking QR Codes aim to take all your money by accessing all your information in an unauthorized manner.
However, QR Codes are integral to running marketing campaigns, networking at events, and even collecting payments. Enterprise users actively using QR Codes cannot imagine their lives without them, and they cannot risk their customers’ or employees’ privacy.
So what’s the solution, then?
Establishing a solid QR Code security framework requires extra care. In this article, we will explain the types of QR Code attacks and best practices for preventing QR Code scams.
Let’s go.
Types of QR Code Attacks
Here are a few types of QR Code attacks that you should know of:
The attacker replaces your QR Code
Suppose you already have a QR Code in the form of a billboard advertisement or at a retail store. The scammers replace this QR Code with a malicious link encoded within and paste it over the existing QR Code advertisement.
The attacker modifies individual parts of a QR Code
The attacker may modify individual modules encoded within the QR Code by changing content or color. Users who scan such a code will be directed to a scammed site.
The QR Code is fraudulent, to begin with
A fraudulent QR Code directs users to an unprotected form that demands personal information from them, such as contact numbers, credit card numbers, OTPs, etc.
The QR Code is fake
Fake QR Codes can be of many types. They could initiate the download of malicious software or redirect users to fake offers and discounts that don’t exist.
Examples and Risks of QR Code Attacks
Businesses are often the targets of QR Code phishing campaigns. Business users often receive emails containing QR Codes with redirections like malicious URLs.
A Reddit user explains their experience of encountering the same. They explain receiving emails with unsafe URL redirections with a Base64 string. Upon decoding, it turns out that the string translates to the employees’ email addresses.
The same user also explains other contexts for receiving malicious emails, in which URLs redirect users to a site impersonating Microsoft 365 to harvest their login details or other sensitive information.
No wonder if any employee steps into these traps, the entire organization’s privacy will be in danger. Some of the most critical details of QR Code attacks include:
Redirect a payment to capture the financial data of a user
Payment fraud is one of the most popular types of QR Code scams. Some common methods of payment fraud include redirecting a QR Code to malicious websites, transferring the payment to a different bank account, sending phishing emails to users asking them to fill out forms with irrelevant financial details, and so on.
The biggest risk associated with this type of scam is revealing critical financial data like credit card numbers, CVVs, debit card pins, etc. Multiple instances have occurred where QR Code payment frauds have emptied users’ bank accounts entirely.
Reveal a user’s personal data
The method of QR Code fraud is similar in this case, with the only difference being the end goal. In this case, QR Code scammers ask for personal information like name, email address, contact number, passport and other personal ID number, one-time passwords for payment processing, etc.
Apart from losing money, other risks include providing the scammers a consistent hold over your data. A user falling for this type of scam may become the victim of identity theft and monetary loss.
Get hold of a user’s location
Cybercriminals opting for this type of QR Code scam look for ways to capture the victim’s real-time location by tracking their devices. As the victim scans a QR Code, their phone automatically installs a location-tracking application for various reasons.
Apart from financial and identity risks, this type of QR Code scam also reveals the locations and details of other individuals close to the victim, leading to instances of mass QR Code fraud.
QR Code Security Best Practices
For Brands
Enterprises should be extra careful about protecting the privacy of their customers and employees. Here are a few QR Code security best practices to follow:
1. Use a secure QR Code generator
Use a secure QR Code generator application like Uniqode, The QR Code Generator, to scale your QR Code generation without compromising security. The tool you are using should be compliant with reliable security practices and help businesses with the following privacy features:
- Single sign-on or credential multiple sign-on
- GDPR, SOC 2 Type 2, and HIPAA compliance and protects customer data end-to-end
- Supports multi-factor authentication to offer an extra layer of protection to your accounts
- Detects anomalous scans to maintain data integrity
2. Use a custom domain
Adding a custom domain displayed over your QR Codes whenever someone is scanning it, helps increase engagement as well as alert users if there’s something fishy going. For example, let’s say you are scanning a Bank of America QR Code to access their digital application form. Which of the two QR Codes below looks suspicious to you? The second one, right? QR Codes with custom domains help scanners identify the destination they are taken to and help build a sense of trust.
For Scanners
1. Check the source and scan QR Codes from trusted sources only
QR Code phishing emails aren’t a new trend. These emails, which often look legitimate, lead the users to unauthorized sites and hack their data. Therefore, before scanning a QR Code, you must estimate its source, link, or email address it came from. For example, if you notice that the sender’s email address is backlisted, isn’t from a trusted email domain, or cannot figure out if the email ID belongs to a company or real individual, it is better not to scan such QR Codes.
When scanning QR Codes from a random website or application, make sure to look for the following aspects:
- The website has an SSL (Secure Sockets Layer) certificate
- It has a strong brand identity that’s difficult to imitate
- In case of a missing SSL certificate, assess the website’s legitimacy through vulnerability detection tools like Intruder Astra to ensure data integrity and encryption
2. Look for red flags in the QR Code branding
A pro tip for determining whether a QR Code is safe is to examine its branding elements. An authentic brand QR Code will be customized with the brand color, frame, and shape. Upon scanning the QR Code, you will be redirected to the brand’s website, where you can find the logo, URL, and other relevant content.
A bland QR Code that doesn’t contain the above branding elements is most likely to be fraud.
Conclusion
A QR Code is perfect for businesses to balance their online and offline marketing initiatives. However, with increasing QR Code scams worldwide, it is always suggested that you opt for a legitimate QR Code generator like Uniqode and look for signs before scanning a QR Code. Educate your employees and customers not to trust any QR codes blindly and perform a vulnerability assessment of QR Codes before trusting them, especially when your personal data is at stake.