Written by guest poster, Len Noe, technical evangelist and white hat hacker at CyberArk
If it seems like there’s a QR code on everything these days, you’re right. In the contactless era, these little black and white grids emerged from relative obscurity to replace everything from restaurant menus to train station ads. The Australian government embraced them wholeheartedly to facilitate contact tracing and vaccination status verification.
More than two years of pandemic-fuelled cyber-crime has made many consumers more cautious about their digital activity. Emails, calls and even texts are scrutinised closely, forcing many attackers to step up their phishing games. And yet, QR codes haven’t really registered as potentially dangerous, and most people still scan them without a second thought.
What is a QR Code? Short for quick response codes, QR codes are a type of two-dimensional barcode that contain data, often for a locator, identifier or tracker. They can be easily read by a smartphone or other camera-equipped device and converted into useful information for the end-user, such as a URL for a website or an application. QR codes are accessible, easy to produce and, seemingly, here to stay. They’re also a perfect way for cyber criminals to snag your personal information.
Last year, the private key used to sign the European Union’s Green Pass vaccine passports was reportedly leaked or forged. Within days, fake QR code-laden passes signed with the stolen key were up for sale on the Dark Web. In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.
QR code attacks are happening everywhere with alarming frequency. Here are seven ways to protect yourself:
Don’t scan it!
If anything feels off, don’t scan the QR code. Just go to the actual website directly. Any legitimate QR code should have an associated URL under it, giving users the option to navigate there directly. If it’s missing, beware.
Before you scan any QR code, ask yourself: Do I know who put the QR code there? Do I trust that it hasn’t been tampered with? Does it even make sense to use a QR code in this situation?
Inspect QR code URLs closely
After scanning the QR code, check out the URL it directs you to before proceeding. Does it match the organisation associated with the QR code? Does it seem suspicious, or include strange misspellings or typos? For instance, in the Texas parking meter scams, part of the URL used was “passportlab.xyz” — clearly not an official city government website. You can also do a quick web search of the URL to confirm that the QR code is legitimate.
Look for signs of physical tampering
This is especially important in places where QR codes are commonly used, such as restaurants. If you spot a QR code sticker adhered to a page over another code, be very skeptical.
Never download apps from QR codes
Bad actors can clone and spoof websites easily. Always go to the official app market for your device’s OS and download your apps from there.
Don’t make electronic payments via QR codes
Use the native app or direct a browser to the official domain and log in there.
Turn on multi-factor authentication (MFA)
This will help protect your sensitive accounts, such as banking, email and social media apps. With another authentication layer in place, a cyber-criminal cannot access your data with just your login and password.
When it comes to QR codes, the best piece of advice is to always use common sense. If it was an email, would you click on it? QR codes are becoming one of attackers’ favourite phishing methods — and the same rules apply. Proceed with caution and apply the same security scrutiny as you would with anything in the digital realm.
Scan safe out there — or better yet, don’t scan at all!