Opinion: Decoding the trending QR scams

Heather Noggle

The city of Battlefield’s largest park added several updates in these last few months. Changes include more pickleball courts and a modern exercise station. Because both new amenities may require explanation to use them most effectively, the park displays giant QR codes that visitors can scan to learn more.

Since the pandemic, public QR codes have surged in popularity, so the park’s QR codes seem convenient, useful and well placed.

Here’s what else you need to know about QR – or quick response – codes. There’s a hidden threat.

The attack vector
Like clicking blind links in emails, QR code scanning transports you, the scanner, and your device to a predetermined place – one you might not want to go. Unless you’re using a program or phone camera that allows you to preview the URL destination before clicking the link, QR codes act a lot like instant teleporters to somewhere. Another analogy is stepping onto a plane and not knowing the airport where it’ll land.

Because of this blind operational flow, scammers are enhancing their schemes to use QR code fraud by redirecting the intended link to a website that looks like it behaves as expected, but, alas, it’s something else. According to an article on HackRead.com, cybersecurity vendor Check Point Software Technologies Ltd. (Nasdaq: CHKP) reports a dramatic 587% increase in QR code phishing attacks, aka “quishing,” in August to September this year.

Another HeackRead.com article, titled, “‘Picture in Picture’ Technique Exploited in New Deceptive Phishing Attack,” gave this warning: “By embedding nefarious URLs within promotional images, cybercriminals exploit the limitations of URL filters, making it challenging for security systems to identify the threats.”

In public and emails
QR codes are ubiquitous now – restaurant menus, parking meters, scooter rentals downtown, etc.

So, how do scammers attack QR codes posted in public? Frequently, it’s a sticker of another QR code overlaying the original QR code.

 Using a parking meter example, the QR code on the sticker would deposit the scanner on a website and show a way to pay and capture credit card information. Earlier this year, news stories from Honolulu and Charlotte, North Carolina, revealed these exact scams. The fake websites so often look and operate just as the user would expect.

Also, QR codes in emails can replace weblinks. With traditional links, a user can hover or mouse over links, and a computer’s email program will show the URL tied to it. It’s not so with QR codes – just scan and go. Scammers are wise to this as well. Because QR codes are images, they can sometimes bypass software that’s screening for sketchy URLs, so expect to see more QR codes in emails.

Safer QR use
Here are a few pointers to use QR codes more safely:

• QR codes are easy to create. When doing so, include a URL with the QR code so that viewers can choose which one to use.
• About to scan? If your phone’s camera doesn’t show you the URL behind the QR code, use an app that will and give you the choice whether to continue. That pause equips you with the right information to make that choice.
• If you’re reviewing a QR code in public, touch it to see if you can identify a sticker overlaid on the original QR code.
• An adjacent point, consider also that shortened links – like those generated by Bitly and TinyURL – also don’t show the destination of the link. Avoid those.

QR codes are here to stay; we’re already at the point of widespread adoption. Use caution and tell your friends and family to make the pause and evaluate. As with any request, pause to determine the level of trust you have with the requestor and the request.

Learn more – I suggest the Better Business Bureau, which thoroughly discusses scams in general. Scams today often originate by electronic means.

So, scanners, be alert of scammers.

Heather Noggle is owner of Codistac LLC. She can be reached at hnoggle@codistac.com.