Keeping clear of QR code scams

Len Noe at CyberArk explores the way that scanning QR codes can pose a personal and organisational threat

If it seems like there’s a QR code on everything these days, you’re right.

While we used to prefer things we could touch and investigate for ourselves, the pandemic changed all of that. A QR code stuck on a window or a menu that would usually spark little interest became a safer route back to our ‘normal’ lives. Suddenly they accompanied every possible service – restaurants, shops, and even government vaccine programmes.

So, we got scan-happy, collectively forgetting about the ‘stranger danger’ behind an unknown web address that could be hiding behind the black and white image.

Case in point: In January 2022, the FBI issued a warning that cyber attackers were tampering with legitimate QR codes to redirect victims to malicious sites that steal login and financial information.

Within weeks of the warning, during the biggest football game of the year, more than 20 million people scanned a single mysterious QR code in an advert for an unnamed company in just 60 seconds.

The threats that QR codes present

So, it seems clear that we instinctively trust QR codes, but should we? I decided to look into the ways that QR codes could present a threat. This research revealed a number of ways that QR codes can be manipulated to steal your personal information, which can then offer a gateway to hacking into organisations.

In a tale as old as time, it proved easy to turn a QR code into a basic phishing attack, especially when levels of trust in QR codes are so high and people willingly hand their information over. Organisations should encourage their employees to be wary of who they offer personal information to – including double checking the web address that a code has sent them to lines up with what they expect.

A sign-up sheet at a job fair, a competition entry, or a survey might seem like legitimate reasons to part with your personal data. But double-checking the web address should be able to help confirm or deny whether there is something ominous behind it – if the web address doesn’t look like it belongs to that organisation, don’t trust it.

For malicious actors, gaining personal information is a great start for mimicking the credentials needed to gain access to your personal accounts, and even your organisation.

More seriously, a QR code could send a user to a spoofed version of their mobile app store. Through this attack, access to a user’s phone can be gained and, therefore, all of their personal (or company confidential) messages can in turn be accessed, alongside their GPS location, and even their camera.

This would offer a serious threat to any business, risking company data and leaving them open to a devastating attack. Organisations ought to take more than a passing interest in the personal security of their employees, encouraging them to check the source of apps or downloads to prevent foul play that can rebound onto them.

QR code attacks are on the rise

In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars.

In the Netherlands, a QR code scam exploited a legitimate feature within a mobile banking application to swindle the bank’s customers, while in Germany, phony emails containing QR codes have lured eBanking customers to malicious websites under the guise of reviewing privacy policy updates to their accounts.

And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.

With attacks like this on the rise, awareness needs to be raised and more done to prevent people from falling foul to malicious actors.

Seven ways to protect yourself and your organisation

So, what’s the best way to protect against these attacks? It’s not too different from the way we have gotten used to double-checking emails and verifying strange texts, we simply need to learn to be a little more discerning around QR codes.

1. Don’t scan it! Trust your gut instincts. If it doesn’t feel right, don’t scan it. Any legitimate QR code should have the URL underneath it, meaning you can enter it directly or go via a search engine. A missing URL should raise a red flag.
2. Slow down. Take a second to question the circumstances before you scan. Do you know who put the QR code there? Can you trust that it hasn’t been tampered with? Does it even make sense to use a QR code in this situation?
3. Inspect QR code URLs closely. Just as you would with a dodgy website, check out the URL that you’re being sent to before going ahead. If it seems suspicious, is misspelled, or doesn’t align with the organisation you’re trying to access, leave it be. For instance, in the Texas parking meter scams, part of the URL used was “passportlab.xyz” — clearly not an official government website.
4. Look for signs of physical tampering. An easy way for an attacker to gain your trust is to dupe legitimate QR code uses – like on a restaurant menu. So if there are signs of tampering, such as a sticker over another code, be sceptical.
5. Never download apps from QR codes. Bad actors can clone and spoof websites easily. Always go to the official app store for your device to download an app.
6. Don’t make a payment via QR codes. Use the (safely downloaded) native app or search online for the official site to pay.
7. Turn on multi-factor authentication (MFA) In the event of inadvertently falling for any of these attacks, MFA will prevent an attacker from accounts like your email or social media with just a login, and alert you to a suspicious attempt.

When it comes to QR codes, the best piece of advice is to always use common sense. We’re better at thinking twice about the slightly off-looking emails, calls, and texts we receive, aware they could have a hidden, malicious agenda. Somehow, QR codes have escaped this extra scrutiny, with more people scanning them without a second thought – but it’s time to change that.

Scan safe out there — or better yet, don’t scan at all!

Len Noe is a Threat Evangelist and White Hat Hacker at CyberArk

Main image courtesy of iStockPhoto.com