4 min read

Protect Yourself from Fake QR Codes

Featured Image

With the pandemic also came a resurgence of QR codes. Once thought dead, at least in the United States, they are now more widespread than ever. From restaurant menus to Super Bowl advertisements (good one CoinBase!), they are ever-present in our lives today.

Think back to the last 2 weeks, how many QR codes have you scanned? 2, 3, 4, more? How many of those did you verify their authenticity before scanning? 

Using fake QR codes to steal personal information or worse rose in popularity right alongside the growing use of QR codes. In this blog post we will be discussing the risks that this type of social engineering attack poses and what you can do to avoid becoming a victim of it.

What are QR codes and what are they used for

A QR (quick response) code is a two-dimensional barcode that can be read using a smartphone camera. They are commonly used to encode URL information, so that when the code is scanned, the user is taken to a specific website. However, QR codes can also be used to store other types of data, such as contact information or a calendar event.

In recent years, QR codes have become increasingly popular as a way to share information quickly and easily. As a result, they can be found on everything from billboards to business cards. While some people see them as a simple convenience, others view them as an eyesore. Regardless of your opinion on QR codes, there's no denying that they're here to stay.

How to spot a fake QR code

How can you tell if a QR code is fake? Fake QR codes are becoming more and more common, as scammers attempt to trick people into visiting malicious websites. There are a few things you can look for to spot a fake QR code:

  1. Check the URL. If the code redirects to a URL that doesn't look legitimate, it's probably fake.
  2. If the QR code is printed on a sticker that has been placed in a public location, treat it with extra caution. 
  3. Be wary of codes that offer too good to be true deals. If a QR code promises a free product or service, it's probably a scam.
  4. Inspect the code closely. If the QR code is blurry or distorted, it's likely not genuine.
  5. If the QR code is pasted on a wall, table, or menu, check to see if it might be stuck on top of the original code, many times criminals will stick a fake QR code on top of a real one.

The risks of scanning a fake QR code

Scanning a malicious QR code could result in a multitude of consequences. visiting a potentially malicious website may not result in any bad consequences, you scanned that QR code for a reason, which means you already have some level of trust in that website.. Bad actors use that trust to convince you to enter personal information so that they can steal it.

They may lure you to scan a QR code, win a free gift card or pretend to be an institution you trust, say your bank. Once you get to their spoofed website and login to your account, just like that they have your login.

QR codes can also be sent to links that automatically download files, this can be used maliciously to download malware or viruses that then go to work to steal your information or ransom your data.

Criminals are also starting to put fake QR codes on top of real codes, making it even more difficult to know what is safe to scan. For example, in coffee shops many stores have started having QR codes to connect to the Wi-Fi. A bad actor could spoof a website that asks for some personal information, print out their own QR codes and paste it over the coffee shop's to steal your information.

Examples of real-world attacks that used fake QR codes

In one case, a group of thieves placed fake QR codes on ATM machines. When victims scanned the code, they were redirected to a site that asked for their bank account information. The thieves then used this information to empty the victims' accounts.

In another case, scammers placed fake QR codes on public benches. When people scanned the code, they were taken to a site that claimed they had won a free vacation. The scammers then collected personal information from the victims and used it to commit fraud. 

In Texas, criminals set up a fake parking payment app and placed QR codes on public parking meters directing people to download the app. Not only did victims wind up losing money to criminals, they got parking tickets as well, thinking that they had paid their meter via the criminal’s payment app.

Best ways to avoid being a victim of a fake QR code

If at all possible, get yourself out of the habit of scanning QR codes entirely. While they can be useful, you can generally find the information you need without scanning it.

If you're at a restaurant with a menu on a QR code you can usually go to their website directly to find it, or ask your server for a menu (they will usually give you one if you ask!).

If it is not possible to avoid scanning QR codes try to take a second to check the URL that pops up on your scanner app before clicking. You're looking for a familiar URL that matches the organization or domain that you are expecting to be sent to.

Wrap up

qr-code (1)

By looking out for certain signs of a fake QR code, you can protect yourself from cybercrime. Be wary of too-good-to-be true deals and inspect the code closely before scanning it.

If you do end up scanning a malicious QR code, don't panic. In most cases, if you haven't downloaded anything or given out any information you do not likely have anything to worry about. On the other hand, if you did download something or enter information after scanning the URL, you may have some concerns.

In that case, contact your IT department for more assistance. Remember to always practice good cyber hygiene and you will be less vulnerable to all types of social engineering attacks, including QR code scams.

If you're looking for some good tips on staying cyber-safe or if your organization doesn't currently do cybersecurity awareness training, check out our Best Free One-Hour Cybersecurity Awareness Training Ever!

What are some other ways people can protect themselves from malicious QR codes? Let us know in the comments! And if you found this article helpful, be sure to share it with your friends and followers on social media. Thanks for reading!

Check out the wacky cybersecurity duo, Tater and Stache, as they discuss this very problem in - Scan Here for Free Fries.

Watch our On-Demand Cybersecurity Webinar

NY SHIELD Act Compliance Checklist for Nonprofits

The New York SHIELD Act (“SHIELD”), which went into effect in 2020, provides needed clarity around what constitutes reasonable data security. The use...

Read More

Protect Yourself from Fake QR Codes

With the pandemic also came a resurgence of QR codes. Once thought dead, at least in the United States, they are now more widespread than ever. From...

Read More

What is Pretexting? How to Avoid Being Victimized

Pretexting is a type of social engineering attack that is often used to gain access to confidential information. In a pretexting attack, the attacker...

Read More