QR Code Scams

Recently, the FTC warned consumers to be on the lookout for fake QR code scams.

Short for quick response codes, QR codes seem to be everywhere. You may have scanned one to see the menu at a restaurant or pay for public parking. You may have used one on your phone to get into a concert or sporting event or to board a flight. There are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information.

There are reports of scammers covering up QR codes on parking meters with a QR code of their own. In other cases, emails that attempt to steal passwords or install malware on user devices use QR codes to lure targets to malicious sites. Because the QR code is embedded into the email as an image, anti-phishing security software can’t detect that the link to which it leads is malicious. By comparison, when the same malicious destination is presented as a text link in the email, it stands a much higher likelihood of being flagged by security software. The ability to bypass such protections has led to a deluge of image-based phishing in recent months.

“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” the FTC warned. “And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”

There are some things you can do to protect yourself.

• After scanning a QR code, ensure that it leads to the official URL of the site or service that provided the code. Like traditional phishing scams, malicious domain names may be almost identical to the intended one, except for a single misplaced letter.
• Enter login credentials, payment card information, or other sensitive data only after ensuring that the site opened by the QR code passes a close inspection using the criteria above.
• Before scanning a QR code on a menu, parking garage, vendor, or charity, ensure it hasn’t been tampered with. Carefully look for stickers placed on top of the original code.
• Be highly suspicious of any QR codes embedded into the body of an email. There are rarely legitimate reasons for emails from legitimate sites or services to use a QR code instead of a link.
• Don’t install stand-alone QR code scanners on a phone without good reason, and then only after carefully vetting the developer. Phones already have a built-in scanner available through the camera app, which will be more trustworthy.

Another word of caution regarding QR codes: Codes used to enroll a site into two-factor authentication from Google Authenticator, Authy, or another authenticator app provide the secret seed token that controls the ever-changing one-time password displayed by these apps. Don’t allow anyone to view such QR codes. Re-enroll the site in the event the QR code is exposed.