Expert Tips to Avoiding Common QR Code Scams

Quick response (QR) codes are everywhere today, even though humans can’t read the blotchy, low-res pixelated squares. But that also means that QR code scams exist.

Developers created QR codes in the 1990s to overcome the 20-character limit in bar codes. Despite their convenience, QR codes can trigger a multitude of security breaches if your clients don’t use them with care. Therefore, MSPs must educate clients on what to look for.

Olesia Klevchuk

Finding the Right Tools

Existing security tools won’t help protect against these codes. “Email filtering is not designed to follow a QR code to its destination and scan for malicious content,” said Olesia Klevchuk, product marketing director at Barracuda Networks.

However, AI and other detection tools will help, Klevchuk added. “A fake QR code is usually not the only sign of a malicious email. AI-based detection will take other signals into account,” she said. Scammer detection routines will catch suspect QR codes by flagging an unsafe email based on the sender, content, image size, or other factors.

MacKenzie Brown, vice president of Blackpoint Cyber’s Adversary Pursuit Group, stressed that MSPs should handle QR codes with the same caution as phishing emails. “Never scan codes from unverified sources, especially for product installation. Attackers can easily create convincing malicious QR codes, and users often don’t think twice before scanning.

MacKenzie Brown

“People have become too accustomed to casually scanning QR codes at restaurants or for promotions. Everyone needs to think twice,” she cautioned. “Even if the code itself seems safe, the destination URL or downloaded content can be dangerous.”

It’s difficult to instill this practice in clients. It’s common for people to scan QR codes for reasons like reading restaurant menus, she noted. “It’s very easy for attackers to generate a malicious QR code.” While the QR code itself may not be malicious, the destination URL or downloaded information may well be harmful, Brown said.

What To Look For

Oleksandr Zherebtsov

“Just when you thought you could trust those innocent little squares, the bad guys swoop in, ready to turn your curiosity into their payday,” added Oleksandr Zherebtsov, security manager at Sigma Software Group, a Swedish-Ukrainian company.

Scam signals to look for include poorly designed QR codes, he said. “Misaligned, tampered, or sticker-covered QR codes are like wearing a fake mustache—obviously suspicious!” If a QR code asks for bank information or another unexpected request, consider it unsafe.

Other suggestions to outsmart QR code scammers include verifying the source, if possible. Use only trusted QR code scanners, such as your phone’s app or scanner software from an official, trusted source. Keep your camera and scanner apps updated. Don’t ever download a new app recommended by the QR code to read it, experts said.

Checking the QR code’s destination link can be tricky, according to Morey Haber, chief security advisor at BeyondTrust, a security company in the identity space. Bubbles may show the hyperlink, but scammers can easily embed compromised sub links, he noted. “When in doubt, don’t click, don’t proceed.”

Morey Haber

No One Is Immune

Haber warns that anyone can fall for a well-crafted phishing attack. Also, after hours, users typically lower their guards. If possible, always use a dedicated authenticator application from Microsoft, Google, or another trusted source versus the mobile device’s camera application itself, Haber said.

“Providing payments via a public QR code is no different than providing credit card information via an anonymous link,” he said. Explaining and enforcing this will be hard as businesses increasingly ask consumers to pay via QR code. “When in doubt, don’t click.”

Brown added, “Dealing with QR codes and QR code security for the average user is more about understanding potential risk that comes along with what seems like a simple scan. Its situational awareness.”

Barracuda’s Klevchuk laid out your next step. “If QR code attacks are not part of your security awareness training yet, make sure they are covered in the future.”

Hot Tips 

Here are some suggestions you can follow to avoid scams hiding behind QR codes:

• Avoid payments using public QR codes.
• Do not scan QR codes from unsolicited emails.
• Check the destination of any QR code.
• Do not be a victim of your own curiosity.
• You do not need a QR code app.

Source: QRFY

6 QR Code Scams to Watch

Scammers have been creating fake QR codes to fool victims into visiting malicious imposter websites or downloading malware on their devices. Here are some circulating the U.S. that you need to look out for:

1. Parking Information and Payment: Fake QR codes are placed onto parking meters or information signs. Don’t be fooled! They are designed to steal user’s credit card information. Look out for unsecured URLs or websites that have spelling or grammar errors. 
2. Posters and Information Boards: Postings in public areas, like town or city centers where and when events take place. Check to see if the QR code is a sticker covering and replacing an existing code. It may have been placed in a strange way compared to the rest of the advertisement.
3. Social Media Messages: Hackers may take over a known person’s account and send messages containing QR codes. Beware if the messages are worded differently than how the person normally replies or if it’s from someone you have not spoken to in a long time. Be sure to message or call the person to verify if these messages are legitimate.
4. Phishing Emails: Scanning QR codes included in emails may be just as risky as clicking on links in unsolicited emails. Examples include phoney emails from a well-known retailer containing a QR code pertaining to a failed purchase, order, or unknown account. Avoid interacting any further with the email or sender.
5. Physical Mail or Packages: These can include bogus letters with QR codes through surveys, competitions, or tracking a supposed order. Legitimate companies rarely send QR codes in this way. Look out for urgent or threatening language to get you to act quickly or incentivize you to scan by offering made-up rewards.
6. Scanner Apps: These usually are not necessary since your smart device camera can scan QR codes. If it’s a fake, it may allow malware to be installed on your device to steal data and personal details. Be wary of scanner apps that have strange reviews or have received a lot of ratings in a short timeframe.

Source: Kushal Tantry, CEO of QR Code Developer

Image: iStock