Cyber “Hoot” Wednesday: QR Code Scams

QR Code Scam
Image Source

The latest way hackers are breaching your private information is by using malicious Quick Response codes, more commonly referred to as a QR Code. QR codes were first created back in 1994 by the Japanese automotive industry to track inventory more effectively but have since been adopted by multiple industries to capture and share information with consumers.  Today you will find them on billboards, web pages, magazines and even clothing. While most of us are familiar with how to scan these codes with our smart phone to retrieve some vendors information or register a warranty, some folks aren’t aware of the cybersecurity and privacy risks relating to their use and abuse.

How Do Hackers Co-opt a QR Code?

One of the most prevalent and easiest ways hackers steal our information is through phishing attacks. Dive deeply into this topic by reading our previous blog article on Avoiding Phishing Attacks but in summary for this QR Code article, phishing attacks typically use an email or web page to lure you into giving out personal information. Hackers create web pages that look identical to a legitimate business web page whose real purpose is to steal your login credentials and private information.

In one of these QR Code attacks, you receive an email from your bank outlining an amazing Credit Card deal which asks you to “scan the embedded QR Code” to apply. Once you scan the “bank’s” QR code, you’re taken to what appears to be your “bank’s” credit card application web page. But here you must be careful as you might not be on your bank’s actual web page.  The domain name may be slightly off (bestbankofall.com was replaced with bestbank0fall.com) behind the QR Code [notice the zero (0) in place of an O (oh)].

As you complete the credit card application form, even if you don’t submit the form for processing, hackers have secretly captured your data and will use it to open credit cards in your name, steal your identity, or steal your bank login credentials if you provided them.  Beyond these data theft attacks, other QR Code attacks try to convince users to download viruses onto their mobile devices, tablets, and computers.

How Can I Protect myself?

Here are some essential basic tips to avoid QR Code scams:

  • If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double check to ensure the domain name is the perfectly correct watching for look alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
  • If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
  • If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
  • QR Codes are beginning to be used for payments.  At this time, there are enough alternatives for immediate payments that we would not recommend issuing payment through a QR code methodology.  Simply ask for alternatives.

Summary

QR codes are convenient to use for businesses, consumers, marketers to exchange information with us.  However, hackers are stealing our private data because people aren’t aware of the risks or how to validate sites properly. It is important to be on the lookout for these scams. Do not allow the convenience of a QR code to lull you into a false sense of security.  Be vigilant and use your new found knowledge to protect yourself.

Author, Ty Mezquita, Blogger/Social Media – Cyberhoot

Editor, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Three Tips for the Digital Age

CyberHoot received notice today that our Café Press account had been breached along with 23 million other accounts. Fortunately, no password data was reported stolen. However, phone numbers, home addresses, email addresses, and full names were breached. This comes on the heels of Capital One’s 100 Million breached financial records announced last week. The FBI claims there are ONLY two types of companies. First, there are companies that know they’ve been breached while second, there are companies that don’t know they’ve been breached. Every company, not just Capital One and Café Press, should assume it has been, or will be, breached. What are you to make of these breaches?

Breached personal data is part of the new normal in the digital age. It’s a fact that our personal data will be compromised; it will be available in online hacker forums for bad actors to try and take advantage of us with. Recognizing that fact, CyberHoot and all our employees have been preparing for this for many years. We practice the three tips below for the digital age; will you practice them?

CyberHoot believes there are two kinds of people. First, there are people who know their personal data has been breached and do something to minimize the impact. Second, there are those people that know their personal data has been breached but do nothing about it. You’re reading this article to learn how to minimize the impact of breached personal data, right? If so, then take the following three steps.

CyberHoot’s Top Three Tips in the Digital Age to protect yourself Personally and professionally:

  1.  Freeze your Credit. If you haven’t frozen your Credit yet, well, what are you waiting for? Here’s the Freeze your Credit article from CyberHoot.
  2.  Learn a Password Manager: given all our data will be breached, you need to learn this skill. Here’s CyberHoot’s article on Password Managers.
  3.  Enroll in a Cybersecurity Awareness Program: do this for yourself personally and make sure your company does it for all its employees.

It’s too dangerous out there not to provide awareness training to your staff. You can be sure no-one else is. If you don’t, who will?

Come to CyberHoot.com for a free 30-day trial for Cybersecurity awareness training. Our training is quick, easy, and effective! All it takes is the will to act… we’ll handle everything else.

Craig, Co-Founder – CyberHoot