Before you scan your next QR code, maybe you should think about who’s on the other end of that code. As the number of consumers scanning QR codes continues to near 16 million folks, and places to use them have grown – menus, ads, etc. – hackers are finding ways to manipulate them to their benefit.
As ConsumerAffairs found when we decided to build out some QR codes, they’re incredibly easy to create. There are lots of free QR code generators on the web where you can design codes that will send consumers a link, email, phone call, text message, V-card, PayPal request, event invitation, a social media nudge, images and videos, an app or a pdf.
But easy to create also means easy for hackers to bait consumers in all sorts of ways. If you make the mistake of scanning a malicious code, you could wind up giving the hacker control of your device.
When that happens, you lose big. Your contacts can be downloaded, malware can be loaded on your device, or you can be sent to a fake payment portal where the scammer can use your banking and credit card accounts to make payments to themselves.
And guess what? If you make a payment through a scammy QR code, it’s darn near impossible to get that money back.
Just last year, the FBI began receiving reports of QR code scams. Then, those spread to scammers using QR codes and gift cards together.
“Scammers may call and say they’re going to send a QR code to your phone so that you can receive a free $100 gift card. In reality, the QR code may take you to a malicious website,” the agency said.
2024 will be worse
When ConsumerAffairs spoke with John Wilson, senior fellow, Threat Research, Fortra, about the QR code situation he said that 2024 will be a whopper year of QR scams.
“In 2024, we’ll see an uptick in QR code phishing scams, exploiting the widespread use of QR-codes for payments and information sharing. Scammers will create deceptive QR codes, leading users to malicious sites,” he said.
How will these codes play out in your life? Wilson says one way will be an increase in QR code phishing. In these situations, the victim receives an email pretending to be from their bank or another company they trust and will be instructed to scan a QR code in the email message, which leads to a phishing website.
Wilson says that we have to be extra careful with QR code swapping – especially in places where we’ve gotten used to scanning those codes, like restaurants and bars.
“In this scenario, the victim sees a QR code on a restaurant table that enables them to pay for their meal using their smartphone,” Wilson explained.
“Unfortunately, a scammer has covered the QR code with their own QR code, giving the scammer access to the victim's credit card details. Meanwhile, the victim believes they've paid for their meal but may be accosted by the restaurant staff for non-payment.”
Preventing QR code hacks
The ace-in-the-hole security precaution you should use to protect yourself against scammy QR codes are the same ones you use already – common sense.
“Just as you would with emails or instant messages, don’t trust QR codes if you’re not sure where they’ve come from—perhaps attached to suspicious-looking emails or on websites that you can’t verify," writes Wired’s David Nield.
"The QR code on the menu in your local restaurant, in contrast, is highly unlikely to have been generated by hackers."
Urgency? Alarm? Don’t forget that those are earmarks of scams, too, such as “Verify your identity or prevent your account from being deleted by scanning this QR code.”
For those of you who do scan QR codes, the QR code scanners built into your phone also give you a preview of the link you’ll be visiting (it’s below the brackets surrounding the code).
If the link doesn’t make sense to you, maybe you should just hold off and contact the company directly via a phone call or email to confirm what it’s offering.
The FBI also says that if after scanning a QR code, the site asks for a password or login info, you stop what you’re doing and that you should refrain from scanning QR codes received in emails or text messages unless you know they are legitimate.
“Call the sender to confirm,” the agency suggests.
Photo Credit: Consumer Affairs News Department Images
Posted: 2023-12-06 02:25:41