QR Code Scams

The latest way hackers are breaching your private information is by using malicious Quick Response codes, more commonly referred to as a QR Code. QR codes were first created back in 1994 by the Japanese automotive industry to track inventory more effectively but have since been adopted by multiple industries to capture and share information with consumers.  Today you will find them on billboards, web pages, magazines and even clothing. While most of us are familiar with how to scan these codes with our smart phone to retrieve some vendors information or register a warranty, some folks aren’t aware of the cybersecurity and privacy risks relating to their use and abuse.

How Do Hackers Co-opt a QR Code?

One of the most prevalent and easiest ways hackers steal our information is through phishing attacks. Dive deeply into this topic by reading our previous blog article on Avoiding Phishing Attacks but in summary for this QR Code article, phishing attacks typically use an email or web page to lure you into giving out personal information. Hackers create web pages that look identical to a legitimate business web page whose real purpose is to steal your login credentials and private information. In one of these QR Code attacks, you receive an email from your bank outlining an amazing Credit Card deal which asks you to “scan the embedded QR Code” to apply. Once you scan the “bank’s” QR code, you’re taken to what appears to be your “bank’s” credit card application web page. But here you must be careful as you might not be on your bank’s actual web page.  The domain name may be slightly off (bestbankofall.com was replaced with bestbank0fall.com) behind the QR Code [notice the zero (0) in place of an O (oh)]. As you complete the credit card application form, even if you don’t submit the form for processing, hackers have secretly captured your data and will use it to open credit cards in your name, steal your identity, or steal your bank login credentials if you provided them.  Beyond these data theft attacks, other QR Code attacks try to convince users to download viruses onto their mobile devices, tablets, and computers.

How Can I Protect myself?

Here are some essential basic tips to avoid QR Code scams:

• If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double check to ensure the domain name is the perfectly correct watching for look alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
• If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
• If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
• QR Codes are beginning to be used for payments.  At this time, there are enough alternatives for immediate payments that we would not recommend issuing payment through a QR code methodology.  Simply ask for alternatives.

Summary

QR codes are convenient to use for businesses, consumers, marketers to exchange information with us.  However, hackers are stealing our private data because people aren’t aware of the risks or how to validate sites properly. It is important to be on the lookout for these scams. Do not allow the convenience of a QR code to lull you into a false sense of security.  Be vigilant and use your new found knowledge to protect yourself.

Author, Ty Mezquita, Blogger/Social Media – Cyberhoot

Editor, Craig, Co-Founder – CyberHoot

Update:  Naked Security – one of CyberHoot’s required reading blogs wrote more on this topic here:  QR Codes Need a Cybersecurity Revamp