The normalisation of QR codes (and new technology in general) often comes with the risk of individuals who will exploit its adoption to steal private information, data and even money. As a technology company driven by QR codes, we believe it’s important to explain how malicious QR codes work, what will be stolen and how to spot them.
Table of Contents
In this section, we will outline the different types of malicious QR codes that exist, the strategies used to impersonate authentic QR codes and the information they want to steal from you. Afterwards, we will explore how you can identify malicious codes and use this technology safely.
Phishing QR Codes
Phishing codes lead to fake websites of established companies (social media pages, online banking and mobile service providers) and prompt you to enter your account details. These are the most common types of malicious QR codes because they are the easiest to create. The goal of these fake websites is to steal your login credentials and access your account. Social media phishing would aim to exploit your account’s personal reach and network of friends whilst posing as you. Online bank phishing places your entire bank account at risk as they could send your money anywhere.
Due to Android’s design as an open platform, driveby downloads exploit Android’s ability to download software outside of app stores to install malware. These codes lead to web pages that automatically install malware aimed at harvesting data from your phone and recording your login information. Since there is no definitive way to determine what is on a QR code, this form of cyber attack is dangerous because the act of scanning the code is what initiates the download.
Adding New Contacts
Scanning this malicious code will share your contact number and automatically create a profile in your contacts; typically imitating a bank, mobile service provider or subscription service. The QR code functions as a prerequisite for a targeted scam calling operation, where the scam caller is granted credibility through the false contact implemented with QR codes.
Automatic Calls, Messages, Profile and WiFi
Malicious codes can also be used to run automatic commands such as populating your email and text messages with scams to send to your contacts or even using your phone as a proxy to call others. This is similar to the previous strategy where QR codes are used to acquire credibility. How it differs, is in the fact that your credibility is being used to scam your contacts. This strategy can also be used to set up fake profiles on your behalf and connect your phone to fake public WIFI which they are operating.
Tips to Stay Safe
A common trend across all of these different scam strategies (and scamming in general) is deception. Phishing codes create deceptive websites, driveby downloads may incorporate additional designs to legitimise the QR code and codes with automatic commands may populate your contacts to deceive you or use your credentials to deceive others. It is important to approach public QR codes with a grain of salt, so here are a few things to look out for when scanning a QR code.
One of the best ways to determine the validity of a QR code is to preview the hyperlink during the scan. As your phone’s camera hovers over the code, a hyperlink will be displayed. Legitimate QR codes will often feature recognisable URLs from the organisation or companies that developed the code. Whilst scam codes will use shortened hyperlinks to hide their website’s URL. It should be noted that official QR codes can also shorten their hyperlinks to reduce clutter, but these shortened codes should be recognisable compared to a malicious code’s shortened URL. Whilst this can make it tricky to discern the legitimacy of these codes, there are still more methods to identify a malicious code.
In some cases, scammers will stick their QR codes on top of existing QR codes and posters. Checking if the QR code was intended for the design is the simplest test of a code’s validity. If the QR code is a sticker that was placed on top, it is almost certainly a malicious code.
Fake codes for drive-by downloads will often use additional logos to legitimise their QR codes. They will incorporate the download prompts for ‘Google Play’ and ‘App Store’, as well as company logos to lend credence to their scams.
QR codes allow the public to immediately access digital spaces from their physical surroundings. The convenience this provides can be exploited to mislead individuals into disclosing private information (through numerous different methods). Like all scams, the key to being safe is to understand how these scams operate and the discrepancies between malicious and authentic URLs.