July 28, 2021

1972

0

Author: Amanda Johnson

Use QR codes securely: how to avoid fraudsters and fake codes

Nowadays, even a child has a device with internet access – a phone, tablet, or laptop. Almost every up-to-date smartphone camera allows you to scan QR codes. There are several options for using QR by downloading a universal app for any code or a specific application created by any authority – for instance, a museum, park, or event-holder. 

Whenever users enable the QR scanner and point the camera at the square with symbols, data transfer between the device the code begins. Most often, your device, after the scanning, will open a relevant site or specific app page. Nevertheless, alternative situations also exist, and we’ll uncover them below. 

Don’t miss a chance to transfer data securely and encrypted. Take advantage of the forward-looking P2P ecosystem where hackers won’t bother you. 

Specialized scanners differ from their counterparts in that they work better in tandem with their own QR codes. For example, let’s say you see a sign in front of a prominent tree in a park, and it has a QR square on it. If you have downloaded the official application of this park, the specially-created codes on plates will turn into a whole excursion. Meanwhile, a regular scanner, upon reading the code, will likely redirect you to the park’s site – you will need to read the description of each exhibit on a separate page.

In addition, some apps can generate QR codes to transfer some information about you to various people. For example, it can be the credentials of a Wi-Fi network or even the payment data.

How can hackers apply QR codes?

While you might enjoy the convenience and smartness of QR, the technology also presents a high risk for hackers’ attacks. Since people can’t read and understand the content of a QR code, we all rely on the integrity of those who embed data on them. It’s impossible to know in advance what might happen when we scan the cherished square – or exactly what data an application that creates a QR square actually encodes in it. This opens up a lot of opportunities for cybercriminals.

Fake links

For instance, a code generated by criminals can lead people to a phishing site imitating a social media login page or a mobile bank account. So when you enter your data there, hackers get all this info. We usually advise you to look at the URL before following it. But QRs don’t give you an opportunity to notice strange characters. What is more, hackers frequently use short links because it’s more difficult to recognize a fraud when the smartphone asks for confirmation.

A similar scheme exists with QR codes for quick app downloading. Unfortunately, instead of a game or a useful service that you expect when looking at an ad poster, there is a chance to download malware, which might steal your passwords or start sending something indecent to your contacts.

By the way, your email contains a lot of precious information for hackers. Don’t know why? Learn why hackers attack inboxes in the dedicated blog post.

QR-encoded commands

But that’s not all: a QR code can serve not only as a link to a site, but also as a command for performing certain actions. Here is just an incomplete list of them:

1. 1. Add a new contact to the address book.
2. 2. Make an outgoing call to the specified number.
3. 3. Create a draft email and fill in the recipient’s address.
4. 4. Send an SMS from your device. 
5. 5. Reveal your geo-position for some apps.
6. 6. Follow accounts on socials.
7. 7. Create an appointment in the calendar.
8. 8. Add data for connecting to a specific Wi-Fi network and add it to the list of preferred ones.

All the functionality was developed to automate simple activities. For example, having read a QR code, it’s possible to transfer all the contact information from a printed card to the phone book, send a message about payment for parking using the desired template, or enable Wi-Fi connection.

However, these features turn codes into an efficient tool for hidden manipulation. For instance, fraudsters may enter any number in your contact list under the name “Bank.” Thus, when you get a call from them, they can easily get access to your bank account. Unpleasant prospect, right? 

Top methods attackers use to deceive you via codes

Of course, hackers will want you to use the QR they generated for malicious purposes. They have developed several techniques to fool you – so be aware of each.

Fraudulent QR sources. This approach is popular to encourage a victim to download a fraudulent app. Usually, attackers embed a harmful QR code into a webpage, printed or digital banners, or email. They may even use the Google Play or App Store logos next to the code to win your trust. 

A code can be replaced. Often, attackers endanger other people’s and organizations’ reputations by replacing an actual QR code on a poster or a plate with a fake one.

By the way, unscrupulous activists of social movements have recently begun to use the substitution of QR codes, too. For example, in Australia one person pasted several QR codes on COVID-19 control signs. As a result, instead of being directed to a site with public health information, users opened an anti-vaccine campaign site.

QR codes that contain bank details can be changed on documents sent to the payer, for example, by printing and distributing fake utility bills in the mailboxes. Instead of the real recipient, the money will go to the attacker’s account.

Simple measures to prevent QR-code related attacks

To avoid becoming a victim of cybercriminals, pay attention to these recommendations:

1. 1. Never scan QR codes of dubious origins.
2. 2. Be cautious with the URLs they suggest following after you scan the code. Be observant of whether the URL’s characters were changed using a URL shortening service. There is no good reason for this in the case of using QR codes. It is better to find the site you are interested in by searching on the internet and open the app through the official store.
3. 3. Before scanning QR codes from advertising posters and signs, make sure that the original image is not covered with a picture with a fake code.
4. 4. Also, remember another danger associated with QR codes – attackers can steal codes that contain some important data – for example, an electronic ticket number. Therefore, you should not publish documents with QR codes or photos on social networks.