QR code phishing and how to avoid it
QR code phishing is a growing cybersecurity threat. In this article, we’ll tell you what it is, how it works, and how to protect yourself from QR code scams.
What are QR codes, really?
We’ve all seen QR codes before: those little square barcodes, typically black and white, that you find just about everywhere nowadays. But what are they?
Originally, QR codes were just labels for physical items. In the 1990s, the Japanese auto industry started using them to keep track of vehicles and components during the manufacturing process. But because QR codes are machine-readable and can store a lot of information, they were later adopted as a way to send data to a smartphone.
The type of data contained in a QR code can vary, but typically it’s just going to be a link to a website. On iOS, your Camera app will automatically detect QR codes. When you point your iPhone’s camera at one, you’re shown an option to open the linked URL in the default web browser.
More than anything else, that’s what you need to remember about QR codes: They’re usually nothing more than simple web links. And as we’ll see, this has serious implications for cybersecurity.
(If you’re curious about what all of the different squares in a QR code actually mean, this video does a great job of explaining it)
What is QR code phishing?
Phishing attacks often use a link to a malicious website that is sent via email. QR code phishing is basically doing the exact same thing, but uses a QR code to get the victim to go to the malicious website. Like any other phishing website, its sole purpose is to get you to enter your Social Security number, bank login details, email account credentials, or some other bit of sensitive data.
Examples of QR code scams
QR code scams take a number of forms. Here are a few ways that the bad guys have already used QR codes for phishing attacks:
QR codes and fake parking tickets
In China, scammers placed fake parking tickets on illegally parked cars. The tickets contained a QR code and instructions to use the code to pay via a mobile payment app. To make the QR code scam even more convincing, the fraudulent account set up to receive the payment used a profile photo of a police officer!
QR code banking app scams
In the Netherlands, a QR code scam exploited a legitimate feature of ING Bank’s mobile banking application. ING lets customers use a QR code to set up a secondary mobile device to access their account. The scammers looked for ING customers who were selling things online, and then obtained their account numbers — supposedly so that they could pay them for a purchase!
They then used an ING app installed on their own mobile device to generate a QR code that, when scanned by the target, would set up the scammers’ device as the secondary device on that person’s bank account. Next, they sent the QR setup code to the potential victim, claiming that they had to scan it in order to “confirm the payment”. If the target scanned the malicious QR code, their account would link up to the ING app on the scammers’ device, giving the bad guys easy access to the money.
QR codes in credential phishing emails
Malicious QR codes on parking meters
In Texas, criminals have started putting stickers with malicious QR codes on city parking meters. Police in Austin, San Antonio, and Houston say that they’ve discovered stickers with fraudulent QR codes on a number of meters. The scammers are attempting to trick drivers into thinking that they can pay for metered parking via a special “Quick Pay Parking” website — but the website is just a phishing site set up to steal credit card information.
How to spot and prevent QR code phishing
It’s not practical to avoid QR codes completely — especially in the era of COVID-19, when they’re used for payments, digital menus, package tracking, contact tracing, and more. But there are some basic steps you can take to keep yourself safe. Here are six suggestions:
QR codes are meant to be quick (it’s in the name, after all!). When most people see a QR code, their first instinct is to just scan it and go, and they generally won’t take a lot of time to think about what they’re doing. The scammers are counting on this. Don’t fall into their trap.
Before you scan a QR code, take a moment to slow down and think about what’s really happening. Ask yourself: Do I know who put the QR code there? Do I trust that it hasn’t been tampered with? Does it even make sense for a QR code to be used in this situation? If something feels “off”, trust your gut and don’t scan the QR code.
Think of it as a link
Train yourself to treat QR codes as links. Before you even scan one, say to yourself, “I’m about to click a link. Is this safe?”
A QR code stuck to the side of a building is like a link sent to your email by a total stranger. If that showed up in your inbox, would you click on it?
A QR code that takes you to a website asking for financial details is the same as a link that does this. If someone emailed you a link saying, “Hi, I work for the city’s parking division, click on this link and enter your credit card details so that you can prepay for parking”, would you do it?
Once you cultivate this mindset, it’s far easier to spot high-risk QR codes!
Inspect QR code links
In iOS, your Camera app will automatically detect QR codes and give you the option to open the associated link in a web browser. You’ll be shown the URL that the QR is trying to take you to. Take a second to inspect it carefully before you proceed to the site.
If the domain doesn’t match the organization that the QR code claims to come from, or if it is clearly suspicious, then something isn’t right. The URL used in the Texas parking meter scams, for example, was “passportlab.xyz” — definitely not an official website of the city of Austin, San Antonio, or Houston!
Businesses and governments sometimes use shortened URLs in their QR codes, or contract third-party services to handle mobile payments. This makes it harder to spot a mismatched URL. You can sometimes do a quick web search for the URL and the organization name to see if you can confirm that the QR code is legitimate. But beyond that, you need to be very careful, especially if you plan on paying for something.
If you’re not sure whether or not it’s OK to use the QR code, play it safe and navigate to the organization’s website in your browser to find what you’re looking for.
Look for signs of physical tampering
In places where QR codes are commonly used, such as a restaurant, keep an eye out for signs of physical tampering. If you spot a QR code sticker that appears to have been placed over top of a legitimate code, be careful. It could simply be a case of an overworked employee who didn’t have time to scrape the older sticker off. But it could also be malicious.
In general, bear in mind that in a public place, anyone can put up a malicious QR code sticker, provided that they’re bold enough to do so. And remember, bad guys can easily download company logos and government seals from the web: these are no guarantee of authenticity!
Finally, if you live in a place where QR codes are used for contact tracing or parking payments, it’s best to get the official app used to handle these things.
Draw some red lines
Keep a mental list of situations where you absolutely will not trust a QR code.
If a QR code takes you to a site that requests highly sensitive personal or financial data — especially things like banking details — it’s best to just close the browser and navigate to the organization’s website independently.
Don’t scan random QR codes that you find posted in public or that are sent to you via paper junk mail. Yes, 9 times out of 10 this is probably just a marketing tactic. But scanning one of these QR codes is essentially the same as clicking on a spam email link. Better safe than sorry.
Lastly, be wary of an unsolicited QR code that comes in by email, even if it seems to be from an organization that you know. Again, some of these are probably fine: It’s just companies trying to drive cross-platform engagement by sending out QR codes in their emails. But since we know that QR codes have already been used in phishing email campaigns as a way of getting past security software, it’s probably best to avoid emailed QR codes altogether.
Finally, use two-factor authentication to protect your accounts.
If you follow all of the advice above, you may still fall victim to a QR-based credential phishing attack. But if you have 2FA turned on, your account will be safe.
2FA won’t help you if you give out your Social Security number or credit card details on a phishing website, but it can definitely protect you from an account compromise.
To learn more about social engineering tactics (and how to spot them), have a listen to Checklist 45: Social Engineering, the Human Element of Hacking.
To test your overall phishing savvy, take our fun and educational phishing awareness quiz!