5 Ways to Avoid a QR Code Scam

Follow these simple rules to cut the risk of becoming a QR code scam victim: Internet Scambusters #542

Crooks have hijacked the QR code labeling system to dupe victims into downloading malware onto their smartphones or to phish for confidential information.

In this week’s issue we explain how the codes — advanced bar codes that look like boxes of dots and squares — can lead users to malicious websites.

The impostors are virtually impossible to detect, but we’ll tell you 5 things you can do to avoid becoming a victim.

Let’s get started…


5 Ways to Avoid a QR Code Scam


The QR code, those boxes full of digital dots and square blobs that you see on so many products and ads these days, has become the latest tool for spammers and malware crooks.

If you own a smartphone, you probably already know QRs, using your built-in phone camera to scan the code and then using a code reader to take you to a website where, supposedly, you’ll get more information.

“QR” stands for “Quick Response” (sometimes also “Quick Read”) and that’s exactly what these multidimensional barcodes are for. They’re supposed to save you the time and trouble of making a note of a website address by taking you straight there.

Because they’re so convenient and easy to use (once you know how!) they’re popping up everywhere — not just on labels and in magazines but also, for example, on some tourist monuments, providing instant details on the site being visited.

No wonder then that scammers have seized the opportunity to use them to divert victims to malicious websites.

These may then present users with spam or a bogus page that looks like the real thing and phishes for personal information used for identity theft.

On some devices, the scan may download malware onto mobile devices, stealing information that way, as well as planting spam advertising on your cell phone.

According to a recent report on tech site The Register, the crooks simply use stickers to place their own QR codes on top of legitimates one — and there’s virtually no way for users to tell if they’re genuine or not.

On billboards in public places like airports, train stations and bus depots, the QRs are purposely placed in an easily accessible place so people can use them easily.

But this plays into the hands of the scammers because it also makes them easy to cover with their own stickers.

The Register quotes a specialist at online security firm Symantec as saying: “There has been an explosion in the number of QR codes over the last couple of years, and cybercriminals are taking full advantage.

“Because QR codes look just like pictures it’s extremely difficult to tell if they’re genuine or malicious, making it easy to dupe passers-by into scanning codes that may lead to an infected site or perhaps a phishing site.”

In fact, in some reported instances in Europe, crooks have just been placing stickers randomly on building walls and floors, knowing that sooner or later a curious passer-by will scan one.

In theory they could even be stuck over displays in stores or advertisements in bookstore magazines or doctor’s office waiting rooms — though these have not been reported so far.

Generating the QR codes in the first place is easy too.

You don’t need sophisticated equipment. There are plenty of Internet sites where anyone can just key in a website address — crooked or legitimate — and generate a code image in seconds.

5 Ways to Protect Yourself

For now, there’s really no visible way of detecting the difference between a real and a phony QR code, but that doesn’t mean you’re defenseless.

Here are 5 things you can do:

  • Never scan a code box that doesn’t appear to be linked to anything else and has no accompanying text — for example just stuck on a wall or floor.
  • Even if there is other information, for instance when it’s on a poster, be wary about scanning a code in public places, like transportation depots, bus stops or city centers.
  • If you decide to scan, check first to see if the code is on a sticker. A quick finger check will tell you this. If it’s a sticker, don’t scan.
  • Use a scanner app that actually checks the website the QR code is pointing to before taking you there.As we’ve previously warned, smartphones that use the Android operating system are the most vulnerable and frequently targeted devices.

    Secure reader apps are readily available. Just do a search for “secure QR reader app”.

    The most common and best known is the free Android app “Snap,” while “QR Pal,” also free, is available for all popular operating systems.

    However, since we haven’t tested these or any others, we’re not able to make a recommendation.

  • If you scan a code and find yourself on a web page that asks for confidential information like passwords, even if it looks like the real thing, don’t key the information in.

Nothing is that important. You can always follow up later by investigating the product or other information yourself on your PC when you get home.

Finally, if you do encounter what appears to be a bogus QR code attached to a product, advertisement, poster or building, do your best to warn the owner of the site so others don’t get caught too.

QR code scams are in their early days, but as more and more organizations see the benefit of using these codes, expect the crooks to exploit the same opportunity too.

Time to conclude for today — have a great week!