QR codes have become a convenience of modern life. Just scan the black and white mosaic with your phones camera and you can do everything from connect to your hotel room Wi-Fi to pay for that public parking space to pull up a restaurant menu.
But QR codes can also leave you vulnerable. Thats because scammers, organized criminal gangs, and shady nation-states are using the unassuming tech to get you to hand over your data unwittingly. Heres how theyre doing it, and how you can protect yourself.
People love the convenience of QR codesbut so do scammers
Its hard to believe that something nefarious can lie within a QR code, but it can. In order to understand why, it helps to know how a QR code works. Short for quick response code, a QR code is essentially a more advanced version of UPC bar codes that have been found on packaged products for decades.
An old-school UPC code (short for universal product code) is a one-dimensional image composed of vertical bars of different widths that represent different numbers. When the barcode is scanned, the numbers are read and compared with a database to identify the related product.
QR codes are two-dimensional images with glyphs of various sizes that store not just numbers, but text. When scanned, your phone extracts the encoded information and can act on it. For example, QR codes often embed URLs, allowing you to scan, say, a parking meter to launch a webpage where you can pay online.
For sure, this is a lot more convenient than manually typing a URL into your phones browser to load the payment page. But our desire forand unquestioning acceptance ofthis convenience is now being exploited by scammers through what has become known as quishing.
The growing threat of quishing
Increasingly, everyone from scammers to nation-states are trying to exploit our willingness to use QR codes. They do this by embedding malicious links in them and sending them to a person via email, often purporting to be from their bank or an online service they use. Alternatively, individual malicious actors have been known to print QR codes with malicious links embedded and physically place them over authentic QR codes on parking meters, restaurant tables, and in hotel rooms.
Unsuspecting individuals then scan these QR codes, not realizing that the URL embedded in them leads to a scam site designed to mimic the real one. These look-alike sites are designed to steal the users login credentials, credit card details, or other sensitive data.
If this sounds a lot like the old school phishing weve been dealing with since the dawn of the internet, thats because it isjust updated for a QR-coded world, hence the term quishing.
How to protect yourself from fake QR codes
Quishing is becoming a growing problem, but there are ways you can protect yourself against it.
The first is by adopting healthy skepticism about QR codes. Just because a QR code is on the hotel room nightstand, below the parking meter dial, or in an email that looks to be from your bank doesn’t mean its benign. Understanding that is your first step toward protecting yourself.
The next step is to carefully examine QR codes before scanning them. Scammers often place fake QR codes over real ones in the physical world. So, before you scan a QR code on a restaurant table, take a moment to inspect it for signs that it might be a sticker covering the authentic code. Look for rough edges, tears, or black squares from a deeper QR code showing through the white space, as these can indicate that the QR code isnt one you should be scanning.
Likewise, be extremely cautious of QR codes you receive in emails, especially from senders purporting to be your financial institution or online services you useand particularly if these emails contain messages that use language like scan the code now to secure your account. Scammers rely on urgency to compel people to enter their login details hastily on fake websiteslogins the scammers will then use to access your accounts on the real website.
Finally, never enter information on a web page that was loaded from a scanned QR code without first manually checking the URL in your web browser. The web page might look like your banks login screen, but a scam website will have a URL that doesnt match the authentic websites address. When in doubt as to whether a URL is authentic, its best to open up another browser window, do a Google search for the website in question, and click on the link Google gives you.
