You can find QR codes on everything from yogurt containers to museum exhibitions, from utility bills to lottery tickets. People use them to open websites, download apps, collect loyalty program points, make payments and transfer money, and even to give to charity. The accessible and practical technology is convenient for many, including, as always, cybercriminals, who have already rolled out a variety of QR-based schemes. Here’s what can go wrong with those ubiquitous black-and-white squares, and how you can use them without fear.
What QR codes are, and how they are used
Nowadays, almost everyone owns a smartphone. Many of the latest models have a built-in QR scanner, but anyone can download an app that reads all QR codes, or opt for a special one, for example, for a museum.
To scan a QR code, a user simply opens the scanner app and points the phone’s camera at the code. Most of the time, the smartphone will prompt you to go to a certain website or download an app. There are other options, however, which we’ll get to in a bit.
Specialized scanners use a specific set of QR codes. You might find such a code on a sign for a historically important tree in a park, for example, in which case scanning it with the park’s official app might start a guided tour, whereas a standard scanner would simply open a description on the park’s website.
Furthermore, some apps can create QR codes to give certain information to anyone who scans them. For example, they might receive the name and password of your guest Wi-Fi network, or bank account details.
How cybercriminals use QR codes
QR codes are just a more advanced version of bar codes, so what could go wrong? Plenty, as it turns out. Humans can’t simply read QR codes or otherwise check in advance what scanning them will do, so we rely on the integrity of their creators. We also can’t know everything a QR code includes, even when we create our own. The system is very exploitable.
A QR code created by cybercriminals might point to a phishing site that looks like the login page of a social network or online bank. That’s why we recommend always checking links before tapping or clicking. A QR code, however, affords no such accessibility. Moreover, attackers often use short links, making it harder to spot a fake when the smartphone asks for confirmation.
Similar schemes can trick users into app download errors, for example, by downloading malware instead of the intended game or tool. At that point, the sky’s the limit; malware can steal passwords, send malicious messages to your contacts, and more.
Beyond linking to a website, a QR code may contain a command to perform certain actions. There, again, the possibilities are extensive; what follows is just a taste:
- Add a contact;
- Make an outgoing call;
- Draft an e-mail and populate the recipient and subject lines;
- Send a text;
- Share your location with an app;
- Create a social media account;
- Schedule a calendar event;
- Add a preferred Wi-Fi network with credentials for automatic connection.
The common thread is the automation of common actions. For example, by scanning a QR code, you can add contact details from a business card, pay for parking, or grant access to a guest Wi-Fi network.
Those broad capabilities make QR codes ripe for manipulation. For example, scammers can add their contact info to your address book under the name “Bank” to lend credibility to a call attempting to defraud you. Or call a toll number on your dime. Or find out where you are.
How cybercriminals mask QR codes
For attackers to harm you using a QR code, they first have to persuade you to scan it. To do that, they have a couple of tricks.
Malicious sources. Cybercriminals can place a QR code with a link to their creation on a website, in a banner, in an e-mail, or even in a paper-based ad. The point is typically to get the victim to download a malicious app. In many cases, the Google Play and App Store logos are placed alongside the code for added credibility.
Substitution. It is not unusual for attackers to piggyback on the work and reputation of legitimate parties, replacing a real QR code on a poster or sign with a fake one.
Incidentally, QR code mischief is not limited to cybercriminals; unscrupulous social activists have begun using QR code substitution to disseminate their ideas. In Australia, for example, a man was recently arrested for allegedly tampering with the QR codes on check-in signs at COVID-19 centers so they led visitors to an antivaccination website.
Again, the possibilities are practically limitless. QR codes are common sights on utility bills, pamphlets, office signage, and almost anywhere else you might expect to find information or instructions.
How to avoid QR trouble
For safety, follow a few simple rules when using QR codes:
- Do not scan QR codes from obviously suspicious sources;
- Pay attention to the links displayed when scanning the code. Be especially wary if the URL has been shortened, because with QR codes, there is no compelling reason to shorten any link. Instead, use a search engine or official store to find what you’re looking for;
- Do a quick physical check before scanning a QR code on a poster or sign to make sure the code isn’t pasted over the original image;
- Use a program such as Kaspersky’s QR Scanner (available for Android and iOS) that checks QR codes for malicious content.
QR codes can also hold valuable information such as e-ticket numbers, so you should never post documents with QR codes on social media.