Quick Response (QR), codes have been around for decades, but we’ve seen a rise in their popularity. Approximately 11M U.S. households will scan a QR code this year. We are able to scan QR codes using our smartphones and avoid touching public screens or handling things like restaurant menus – making these codes an appealing alternative during a pandemic. Similar to a barcode on a product, a QR code stores data. The data can be static or dynamic as well as interactive and actionable. And while these features are certainly convenient, they can also be dangerous.
How They Work
QR codes have varied functions. Static QR codes have information embedded in the code. This information is fixed and cannot be changed (even if you find a typo!). An example would be a contact card embedded in a QR code. Dynamic QR codes have links embedded in their code. It could be a link to malicious website designed to steal your sensitive information or infect your phone with malware. Or, it could even be a link to a valid website that is hacked later on.
Scanning QR codes could lead to an email being drafted or a phone call initiated on your behalf. It could also open an app and initiate an action within the app. For example, you could scan a QR code to make a payment and it will open your PayPal app and bring you to the seller’s payment page. Or, you could scan a code that opens up Facebook and likes a brand’s page automatically.
According to a recent survey by MobileIron, only 17% believe they can identify a malicious QR code, while 67% believe they can identify a malicious link. When people scan a QR code, it is often in a public place like a restaurant or retailer.
An individual must decide if the QR code in front of them is valid. While the actual QR image cannot be “hacked” there are other ways to direct the victim to a malicious site or app. First, a scammer could take a sticker with a malicious QR code and put it over any public QR code. Or, a hacker could hack the website linked in a dynamic QR code.
A criminal may also use social engineering to get potential victims to scan a code that leads to a malicious site or app. In the Netherlands, a scammer would ask people to pay for their parking via QR code using their banking app in exchange for cash. Those that wanted to help ended up scammed out of tens of thousands of Euros. Scanning the QR code in this situation was equivalent to entering banking credentials into a phishing bank site.
A QR code could also direct you to a site that will install malware on your phone. Malware could allow hackers to steal login or credit card information for any app, track your location, or even disable your phone completely.
Creating a QR code is quick, easy, and free. That means scammers have little to lose when trying a QR code scam. What can you do to protect yourself?
In some ways, we can treat a QR code as we would a link in an email. You wouldn’t click on a link from an unknown sender, so don’t scan an unknown QR code you may come across in a public setting. Be especially wary if the QR code seems to be a sticker placed on top of another QR code. If a friend confirms that they have used that particular QR code with success, you may feel comfortable scanning it also. QR codes cannot force payments, so be sure to verify payment details before clicking to confirm.
Combined with awareness, technology can also help. You can download and use a QR code scanner that will provide a warning if the QR code directs to a malicious site. There are multiple options by well-known cyber security companies like Sophos or Kaspersky.
Stay aware, and think before you click OR scan.