QR codes have become ubiquitous in our daily lives, popping up on everything from product packaging to restaurant menus. By scanning a QR code with your smartphone, you can be directed to a website or gain access to more information about a product or service. Unfortunately, scammers have found ways to misuse this technology for their own benefit. Let’s take a closer look at QR code scams and how to protect yourself from potential cyber security threats.
The Danger of QR Codes
In an interview with CSO Online, Alex Mosher, global vice president at MobileIron, stated, “By their very nature, QR codes are not human-readable. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective.”
According to a recent study, almost 75% of the participants could not differentiate between a genuine and malicious QR code. It emphasized the importance of educating individuals about the various other functions that QR codes can perform.
“Mobile device attacks can be a threat to both individuals and businesses,” warns Mosher. He emphasizes that a successful attack on an employee’s mobile device can lead to personal data being compromised, financial resources being depleted, and/or sensitive corporate data being leaked.
How Does a QR Scam Happen?
QR code scams come in many forms, but here are a few current examples:
“Quishing” or QR Code Phishing
Hackers use quishing to conceal the fraudulent website within a visual QR code. This technique makes it difficult for victims to detect QR phishing by simply checking the address before scanning. This technique uses phishing emails, where threat actors create a sense of urgency or stress, such as a time-sensitive alert, which can cause victims to be less attentive than usual.
Placement of fraudulent qr codes
Scammers place their own QR codes over legitimate codes on products in stores steal personal information. When consumers scan the codes, they direct them to a fake website asking for sensitive information such as:
credit card information
bank account numbers
or even your social security number
malware installation
Scammers place QR codes on stickers or posters around public places. When users scan them, they are taken to a website where they are prompted to download an app. The app then installs malware on the unsuspecting victim’s phone.
Real Life QR Code Scams
Energy company quishing
In August 2023, cybersecurity researchers at Cofense detected a widespread phishing attack targeting a major energy company in the United States.
Over a thousand emails were sent as part of this targeted attack, with almost 29% directed at the energy company. The remaining emails were sent to companies in the manufacturing (15%), insurance (9%), technology (7%), and financial services (6%) industries.
The phishing email operation included QR codes that led recipients to a fake Microsoft 365 login page. The attackers used urgency to trick victims into updating their account settings within three days, leading to a quick response and the theft of their login credentials.
malicious paw patrol qr
In September 2023, a disturbing incident occurred where cyber criminals redirected a URL associated with the children’s cartoon ‘Paw Patrol’ printed on four themed snack products. As a result, the URL led to pornographic content.
The discount supermarket, Lidl, had to recall its entire range of snacks because of a safety concern. TechRadar reached out to Lidl and was advised that “this is a limited offer product from a specific brand that is not included in our primary selection and is also available at other retailers.”
Lidl issued a public notice regarding the QR hijacking issue. “We recommend that customers refrain from viewing the URL and return this product to the nearest store where a full refund will be given.”
As per the report by TechCrunch, the domain involved in the cyber attack is presently registered to an individual based in Lianyungang, China. However, it was earlier owned by Appy Kids Co., the manufacturer of the affected Paw Patrol products. According to public records from Companies House, the company dissolved over a year ago.
[Related: AI Scams on the Rise: What NEO Businesses Need to Know]
Protecting Yourself from QR Code Scams
Here are some tips to help you stay safe from QR code scams:
1. Avoid qR codes in public places
If you see a QR code on a poster or sticker in a public place, be wary of scanning it—only scan codes from sources you trust.
2. verify the source before scanning
Before scanning a QR code, ensure it is from a legitimate source. If it’s on a product, for example, make sure it’s the original code and not a sticker placed over it.
3. don’t give out personal information
Be wary if a QR code takes you to a website that asks for personal information. Legitimate websites will never ask for things like your social security number or credit card information.
4. Keep your phone software up to date
Ensure your smartphone’s operating system and security software are current. This will help protect you from malware and other threats.
QR Code Scams | Conclusion
QR codes provide a convenient way to access information, but malicious software and individuals can also exploit them. Avoid scanning codes in public places, verify the source before scanning, and never give out personal information. By following these tips, you can safely enjoy the benefits of QR codes.
Are you concerned about the security of your business from QR code scams or other cyber threats? At AtNetPlus, we have safeguarded businesses in Northeast Ohio from such malicious attacks since 1998. Learn more about our award winning Managed IT and Security Services.
Stay safe, stay informed, and let’s outsmart the scammers together.
Sources:
- How attackers exploit QR codes and how to mitigate the risk | CSO Online.
- Why you should think twice before scanning QR Codes | techradar
- Major Energy Company Targeted in Large QR Code Phishing Campaign | COFENSE
- Lidl recalls Paw Patrol snacks after website on packaging displayed porn | TechCrunch
- APPY FOOD AND DRINKS LIMITED | gov.uk