Scanning a QR code to “find out more” may now lead to “get scammed some more.”
That’s right – those ever-present graphic codes that are being used for the list of beers a bar may serve to sign up for a discount from a retailer are cropping up in a good number of malicious emails.
And the only reason they’re there is that threat actors have figured out that they can utilize them to encode malicious URLs and get unsuspecting consumers to scan them and download some dangerous software onto their devices.
Cofense, an email security company, says the people most at risk are the ones who use their tablets or smartphones to read emails because those devices have built-in cameras that make opening a QR code easier than on a desktop or laptop.
Users' personal mobile devices lack the protection of network and endpoint solutions that prevent access to malicious URLs and generate alerts for security teams to investigate, suggests Cofense’s Kian Buckley Maher.
“With most of the attacks occurring outside of the protection bubble created by a company, it is more difficult to gather evidence of the attack and track any subsequent actions taken by the user,” Maher said.
Where these codes are popping up
Security company Aura says that the number one QR code danger these days is one showing up on parking meters across the country. Recently, the Austin, Texas police department found 29 fraudulent QR codes on the city’s parking meters.
“When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking,” Aura’s Yaniv Masjedi said in his overview of the situation.
“But when they entered their credit card information, it was sent to scammers who could then use it to make fraudulent purchases or even sell the victims’ personal data on the Dark Web.”
Besides phishing emails and parking meters, Masjedi said that other QR scams can be found on or in:
Tampered QR codes in restaurants
Fake QR codes sent through the mail (surveys, sweepstakes, etc.)
QR codes on unexpected package deliveries
QR codes at sham COVID-19 testing centers
QR codes sent over social media (hacked accounts)
Cryptocurrency QR code scams
Fake QR code scanner apps that download malware
Here's how those scams can play out:
Who you can – and can’t – trust
As you can see, since QR codes can be used for about anything, and scammers can impersonate just about anyone, all bets are off. It's been a long, slow build since QR codes first hit the scene, but scammers have graduated to the major leagues and going for the bigger fish. As an example, ConsumerAffairs found out about a major QR code scam ring related to cash apps like Venmo and Zelle.
Maher says the bottom line for everyone is to be wary of scanning QR codes from any source they do not trust. “If uncertain, it is advisable to make use of a web-based service to scan the QR code.”
There are lots of options as ConsumerAffairs found out when we searched for web-based readers, but make sure you research those because there could be a scammer lying in the weeds of those search results, too.
But as Maher demonstrated, scammers are even using trusted companies like Microsoft to become unwilling co-conspirators. Again, you can’t be too careful and contacting the company at its official website before scanning a QR code could save you a headache and, possibly, a lot of money.