Fraud Alert: Malicious QR Codes Now Used by Online Scammers
Last updated August 25, 2021
You see them everywhere—on restaurant menus, in newspaper and magazine ads, on billboards, product packages, business cards, and at the checkout counter. Quick Response (QR) codes have been around for decades, but they were rarely used for consumer transactions before the pandemic.
These strange-looking black-and-white squares—developed by a Japanese company in 1994 as an inventory-control technology—can hold significantly more information than the standard bar code.
Listen to audio highlights of the story below:
As the fear of COVID-19 made touchless interactions essential, QR codes became the “safe” way to place orders and make digital payments. Since the pandemic, half of all full-service restaurants now have digital menus accessed by QR codes, according to the National Restaurant Association. PayPal QR code payments are now accepted at CVS, Nike, Footlocker, and around 1 million small businesses, according to The New York Times.
Once scanned and clicked, a QR code takes you to a website (the URL is embedded in the image) to place an order, make a payment, download coupons or apps, or learn about new products and services.
The rapid acceptance of QR codes has been good for retailers, but it’s also provided cyber criminals with a powerful new tool.
“The more people start using QR codes, the more of an opportunity it creates for attackers,” said Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon. “Most of the time, the QR code takes you to whatever website you thought you were going to, but sometimes you wind up going to a phishing website or a website that’s full of viruses or malware.”
For the fraudsters, hiding a malicious link in a QR code is better than including it in an email or text message, where the intended victim might spot it. You can’t look at that little square and spot the danger.
“Since a QR code can send you to any webpage, [the criminals] can do almost anything they want,” said Hank Schless, security solutions manager at Lookout, a global security firm. “They could send you to a rogue website and ask you to verify your identity—and in doing so, grab your personal information, maybe a Social Security number or credit card number. They could also ask you to download malicious applications that have hidden functionality to swipe sensitive data from your device.”
To prove how easily a QR code can be used to trick people, Lookout put a code on the side of its booth at a cybersecurity conference in San Francisco earlier this year, telling people to scan the code to win a free iPhone. The code led to iphonewinnerrsa.com. While it seemed legit, it could have been a clever phishing attack. Thankfully, the site was created by Lookout to prove its point. Scan the code, if you want, to see where it takes you. We promise, nothing bad will happen.
Malicious QR codes are also dangerous because they can “initiate action on smartphones,” tech reporter Mike Elgan explained in a column for SecurityIntelligence.com. They can launch a payment app and transfer money, add contacts, follow a malicious account on social media, add a malicious Wi-Fi network, or divulge the victim’s location, he warned.
A New QR Twist to Old Scams
Con artists have added QR codes to a variety of familiar scams, the Better Business Bureau warned in a scam alert last month. Based on reports to the BBB Scam Tracker, these hoaxes include advance fee loan, employment, and utility scams. In many cases, the QR code links to the scammer’s bitcoin account, providing an instant and irreversible way for victims to send them money.
Checkbook read the Scam Tracker reports, and found that many involve bitcoin payments. A few examples:
- A couple lost $1,600 trying to rent a vacation house. The “rental agent” said to use his QR code to pay the deposit using a Bitcoin ATM machine.
- A caller, who claimed to be with the power company, threatened to turn off the electricity in 20 minutes because of an outstanding bill of $973. The homeowners were sent a QR code and told to use it at a nearby kiosk. It turned out to be the QR code to download the bitcoin app. Thankfully, the transaction was not completed.
- A consumer in Hawaii sent $1,000 via QR code to an investment company that made contact via Instagram. After the trading period ended, the scammer demanded a fee of $4,102 to withdraw the supposed $20,500 profit in the account. Again, the money was sent via a bitcoin machine to the address in the QR Code. Total loss: $5,102.
QR codes are here to stay and are likely to be used in a growing number of ways. While most QR codes are safe, it’s wise to be skeptical and take steps to eliminate potential vulnerabilities.
Here’s how to play it safe:
- Check for tampering, such as stickers or overlays on signs or restaurant menus. Ask the clerk or server if that’s something the store or restaurant did.
- Beware of signs that offer “free Wi-Fi” by using a QR code—especially somewhere you have not visited before.
- Don’t download an app suggested by a QR code. Go to the Apple App Store or Google Play Store instead, and download the app from there.
- Don’t use a QR code that comes from strangers, even if they promise a prize, free vacation, free money, or a way to make quick cash. If you’re sent a QR code in a message that appears to be from someone you know, check with them before you scan and click. It’s possible their account was hacked.
- Be suspicious any time you see a shortened URL when you scan a QR code. There’s no way to know where that link will take you.
Christopher Budd, global threat communications manager at Avast, says it’s important to know where the QR code is going to take you. One way to do that is to use a QR scanning app that shows you the URL before you click on it. Look at the URL and then click on the “lock” in the address bar to see what the certificate says.
“In the past few years, bad guys are using SSL [secure] connections for their malicious websites, so just looking for a lock is not sufficient anymore,” Budd told Checkbook. “You have to click on the lock to find out what server you are actually connecting to.”
Consider Antivirus Protection for Your Phone
Many people don’t think about security on their smartphones. And yet, these devices contain mountains of sensitive personal information. Security software can block malicious links and warn about possible phishing attacks.
- Computers and Devices: How to Keep Yours Safe
- How to Wipe Your Data Before You Sell, Donate, or Recycle Unwanted Computers and Smartphones
- Best Free Antivirus Apps for Android Phone
- The Best Android Antivirus Apps for 2021
- The 6 Best Antivirus Apps for iPhones in 2021
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at ConsumerMan.com.