QR code scams now at epidemic level (guide)

QR code scams have reached epidemic levels, according to the Victorian Police Force. They are now everywhere, from posters, cafe menus, parking meters, Facebook and other marketplaces, job offers, and so much more.

The US Federal Trade Commission has grave concerns about the ‘growing abuse’ of QR codes. Scammers are exploiting the lack of security surrounding both online and offline QR codes.

What is a QR code?

A Quick Response (QR) code is a type of 3D barcode that contains a web address (URL) and up to 4000 characters of hidden text. Legitimate QR codes are a very easy way to get more information, even order a cafe meal.

QR code scams

What is a QR Code scam?

A QR code scam is a repurposed code usually containing a fake website address (URL) or using hidden text to perform some operations on your smartphone.

For example, a malicious QR code could deep link you to a website with an executable file to install malware or apps.

It can also add an address card to your contacts and even compose and send an email from your account. Worse, it can send the QR code scam to everyone in your contacts list with your recommendation to check it out.

Rule #1 Only scan a QR code if you are 100% sure it is legitimate.

How to spot legitimate or illegitimate QR codes?

The most obvious sign of a QR code scam is when a QR code sticker has been placed over the legitimate one using an adhesive label. This mainly applies to self-service restaurants or cafes where you must order via smartphone at the table. However, they have also been found in display advertising, street pole advertising, parking meters, free public Wi-Fi, and anywhere you expect to be taken to a website for further information.

The least obvious is where a QR Code is substituted for a real one online. You might be on your local pizza store website, but hackers have replaced the QR code with one that points to a ‘scraped’ pizza store site. You order and enter delivery and payment details and wonder where your pizza is when it is not there hot and fresh in 20 minutes. Lots of <$100 credit card sales are the result.

Another common QR code scam is on unsolicited snail mail or email. It may offer you a chance to win by scanning the code. Online surveys using a QR Code to access a survey site are also common.

Rule #2 Scammers go to great lengths to look legitimate. Check that URL it takes you to with the company’s actual URL.

Social media is awash with QR code scams

There is a considerable likelihood that a QR code on a social media influencer’s page is more than it seems.  At the very least, it gathers personal data to sell. At its very worst, it plants tracking devices on your browser and monetises your browser history.

Rule #3 Never trust social media QR codes

What to do if you suspect a QR code scam

  • Immediately change your passwords for any online account used for payment.
  • Advise the bank and try to stop or reverse the payment.
  • Report the scam to the original retailer, café etc.

Rule #4 The faster you act, the less the damage.

New QR code scams

Physical mail and package scams: Scammers can use email and mail to trick you into scanning a QR code to track and receive your goods.

Surveys, competitions: QR codes are increasingly used to enter competitions and giveaways. 

QR code scanner app scams: While Trend Micro’s app is legitimate, hundreds of illegitimate ones download and install malware on your device. Beware of any that require you to download an update to the app after installation. Do not give these any permissions.

QR codes sent by ‘friends’ to show you something interesting or funny: For sure, they will be from compromised email, social media or LinkedIn accounts.

CyberShack’s view – QR codes are wide open to abuse

I now refuse to use QR codes to order in a restaurant. Why? I don’t trust them, and I want to physically swipe/tap my credit card to make a payment. Restaurants know this issue, and most will take an order and payment at the counter.

A friend has been scammed by a QR code at the petrol bowser. The first he knew was when he checked his credit card statement, which had several <$100 transactions. To add insult, he received a summons including substantial legal costs to pay for the petrol.

A non-tech-savvy senior friend used a QR code to claim a prize from a well-known retailer that you have a 50/50 chance of shopping at. It cost him thousands of dollars.

Rule #5. Cybercriminals are smart and out to get you – caveat emptor.

Brought to you by CyberShack.com.au