Do you scan QR codes to check out a restaurant menu, on parking meters, to get a discount coupon, to connect to a business's Wi-Fi, or to find out more about a historical place?
QR codes are everywhere and have become a part of our daily lives. However, sometimes they are not what you think they are.
The Federal Trade Commission (FTC) warns that scammers are hiding harmful links in QR codes and using them in phishing attacks, a tactic known as quishing. And it's on the rise.
Phishing has been a longstanding method of deception, taking various forms based on digital trends. This attack aims to trick people by any means to divulge sensitive information such as usernames, passwords, and credit card details, which can then be used for further criminal activities.
Given the popularity of QR codes and, more importantly, the tendency for people to scan them without questioning their purpose, QR codes have become perfect tools for scammers.
Manipulating QR codes, scammers lead individuals to a fake website that appears legitimate. If you log in on this spoofed site, scammers can steal any information you enter.
Alternatively, the QR code might install malware that silently collects your information before you even realize it. The format of a code, rather than a link is the perfect disguise.
QR codes, also known as Quick Response codes were invented by Masahiro Hara, an employee of the Japanese automotive company Denso Waves, in 1994.
The company faced challenges with traditional barcodes, requiring up to 10 barcodes on a single product. This approach led to production delays as scanners struggled to read them from a single direction.
Masahiro Hara found inspiration for QR codes while playing the game Go. He realized that a similar grid-based system as the GO game board could store more information in a single code and be read from multiple directions, angles, and distances.
QR codes boomed in 2020 when the pandemic hit, and everybody avoided physical contact.
They are here to stay and, unfortunately, are also susceptible to spoofing by cybercriminals.
Here are various scenarios where you might encounter a malicious QR code:
· Emails and Messages: Cybercriminals often send QR codes via emails or messages, pretending to be from legitimate sources, such as well-known companies or brands.
· Fake Promotions: Many deceptive QR codes lead you to believe you'll receive a discount or special offer.
· Physical Spaces: Fraudulent QR codes strategically placed in public spaces, on posters, or even on product packaging can catch individuals off guard.
Cybercriminals can get very creative in employing various cunning tactics to trick individuals into scanning their fake QR codes, ranging from covering legitimate QR codes with their own to sending convincing emails and messages.
Here are some of the ways they try to con you:
Their messages create a sense of urgency. All they want is you to scan their code. However, you won't fall for their tricks because you know how to protect yourself.
Real story. DHL QR Code Scam?
Here's a real encounter with a suspicious QR code shared on Reddit.
"I'm trying to sell a PS4 through Facebook, and I've mostly been receiving the FedEx courier scam (the one where they ask you to get the money in cash from a courier who picks up the item), but today I got an offer from someone who wants to use DHL to pay me and pick up the item.
She claims that I can use a QR Code to get paid, and that afterwards I can bring the package to a DHL office to send it. I don't trust it fully, but I do know that DHL does have this type of service, so I'm trying to find out if it's a scam. Have you had anything like this?"
How to protect yourself
Use Scamio – the easiest and quickest method to check a QR code is with Bitdefender Scamio, a free scam detector. You can chat with it on Facebook Messenger or in your browser. Simply scan the QR code with Bitdefender Scamio, which will analyze it and provide you with the result. This way, you'll know if the QR code is malicious or not.
If you scan a fake QR code, change your passwords to the accounts you may have given scammers access to, and monitor your accounts.