As hands-free, low/no-contact trends exploded in popularity during the pandemic, QR code technology became more prevalent. So, too, do the ways to take advantage of the technology and turn a QR code into a phishing operation, or worse. QR codes are appearing in public places such as parking areas, restaurants, and hospitals. Their convenience is a no-touch way to pay for or order a service. However, the accessibility of QR codes extends not just to patrons looking for a simple, germ-free way to get things done. Unfortunately, malicious actors are taking advantage of QR codes in public places, as well as sending them via phishing campaigns via email and SMS messages.
At the end of 2023, the Federal Trade Commission published a warning about an uptick and tactics used by scammers and fraudsters to disseminate QR codes that stole personally identifiable information (PII) or directed unsuspecting victims to fraudulent websites that would do so. QR codes can also install malware onto personal devices, such as laptops and mobile phones. The dark web and its adjacent platforms, such as Telegram, offer tutorials and services to empower cyber criminals to steal not only information but in some cases, finances of victims, using QR codes:
The easiest method to spread QR code fraud is simply placing a sticker over a QR code located in an open, public place. Criminals can do this outside of the range of security cameras in many instances. These cover-up QR codes can send victims to fraudulent websites.
Alternatively, if QR codes are sent via email, embedding them as an image in the email does not trigger security or scanning software, so the malicious link of the embedded QR code will function and lure victims to the malicious website. This tactic is called “Quishing” – a portmanteau of QR code and phishing.
Both of the above scenarios rely on people using personal devices as they travel out and about, running errands. Personal devices often see lower security protections as opposed to a corporate or employee-sponsored device. Criminals also take advantage of the fact that people are often in a hurry when conducting errands or going to a leisure event, so they don’t take the time to inspect URLs, ensuring no typos or suspicious looking links. To maximize their financial gain, online tutorials offer QR code fraud guides of all types:
Since QR code fraud is similar to phishing operations, the same protective measures apply:
Products
Services
Use Cases