We've all become familiar with QR codes — those square bar codes that seem to be everywhere. You scan them with your phone camera and they take you directly to a website. QR codes are an incredibly convenient way to access information, but scammers are clever and already use them as part of their scam arsenal. Fortunately, everyone can protect themselves from QR scams by learning how they work and remaining vigilant.
In this guide, you'll learn more about QR scams and how they pose a threat to both individuals and businesses. We'll also take you through everything you and your employees can do to prevent QR code scammers from accessing sensitive personal and company information.
What Are QR Code Scams?
A QR code scam involves a malicious or fraudulent QR code. When scanned, the QR code typically directs the user to a malicious website. There, the scammer can extract sensitive information or prompt the user to download viruses or harmful software.
QR code scams are so effective because it's hard to tell they're fake until you scan them. Even then, you may not notice you're on the wrong website, especially if you've never visited it before.
Types of QR Code Scams
Scammers use QR codes for various scams, and it's essential to understand how these work so you and your employees can identify them before they cause damage. The three common types of QR code scams include:
- Quishing: Similar to phishing, quishing emails or messages appear to be sent from a legitimate source and request that you scan a QR code. This should already alert you to the scam, as there's no need to use a QR code on a digital device when you can send the link directly.
- Fake codes: This method is a lot sneakier. The scammer places a fake QR code over a real one. These QR codes often direct you to a website similar to the original QR code, making them harder to identify as scams.
- Scanner apps: Nearly all phones have cameras with built-in QR code scanners, but some phones may need an additional app to perform this function. Scammers will try to get you to install their own QR code scanner apps containing malicious code.
Risks Involved in Scanning Unverified QR Codes
When you or an employee scans a fraudulent QR code, scammers can:
- Steal information: Scammers use QR codes to direct people to fake login sites where they steal login credentials or ask for personal information like names, email addresses, and social security numbers. They may sell this information to third parties or use it to commit identity fraud.
- Download malware: The website may ask the visitor to download an app or software containing malicious code that can control the device, spy on activity, or perform specific tasks. Some websites even have drive-by downloads, where the program or files automatically start downloading without consent.
- Send messages: Scammers can program QR codes to perform tasks like sending an email, creating a contact, launching an app, or following a social media account.
- Steal money: Through QR codes, scammers can steal money from their victims. They may direct you to a fake payment portal that sends money to them instead of the intended recipient, or steal your credit card information or banking login details, giving them access to your accounts. Scammers also target cryptocurrency holders who use QR codes to make cryptocurrency payments.
How a QR Scam Can Affect Your Business
Most businesses consider cyberattacks from hackers when developing their security protocols, but many don't think about the damage a simple QR code can cause. If an employee falls prey to a QR code scam, scammers may gain access to confidential business information or steal large sums of money from business accounts. The business can also suffer reputational damage if, for example, the scammer leaks customer information or sends malicious messages to customers.
How is this possible, especially if the business has robust security? Employees often have access to their business email accounts on their personal phones or may be logged into their work Google account. If they scan a malicious QR code with their personal device and provide their login details or download malicious software, scammers will have access to business information.
To prevent damage from QR code scams, you must actively train employees to identify and avoid common QR scam practices.
Should You Always Avoid Scanning QR Codes?
While scanning a QR code can be dangerous, QR codes aren't inherently harmful. A QR code only stores information scanners can read. However, the content on the QR code or the destination it takes the user to can pose a threat if handled incorrectly. Nearly all QR code scams require consent or activity from the user, whether that's to allow an action, fill in information, or initiate a download. Even with drive-by downloads, you usually have to allow the application to complete the installation or task.
QR codes are incredibly convenient, and avoiding them entirely is unnecessary. The key to safely scanning QR codes is understanding common scamming tactics and pausing before clicking anything.
How to Check If a QR Code Is Safe
Follow the steps below before you scan any QR code to ensure it's legitimate and safe.
1. Assess the QR Code
The first step to avoiding QR scams is to learn how to identify a fake QR code. QR codes can't be hacked, but they can be covered with a fake one. Some fake QR codes are easy to spot because the scammer has to place a sticker with their QR code over the original. If it looks seamless, feel for any bumps or ridges.
Never scan a QR when it's from a stranger or you can't identify its purpose.
2. Preview the Link
Always check the link from the QR code before you click on it. Using your phone camera or QR scanner, hover over the QR code and view the link preview. If there are any misspellings or odd characters, avoid clicking it. Shortened or hidden links are usually a red flag.
3. Go Straight to the Source
Legitimate QR codes typically indicate the destination in writing somewhere near the code. If you're unsure about the QR code, don't scan the code — manually type out the link in your browser to avoid any potential scams. You can also go online to find the website yourself.
4. Check the Website
Look over the website for anything suspicious, such as poor-quality images or misspelled words. Ensure the URL is secure by looking for the lock symbol and "https://" at the start of the URL.
4. Contact the Company
If you receive a new email or message with a QR code, contact the company directly and verify the legitimacy of the QR code. This is especially important if the messaging seems urgent or promises to-good-to-be-true rewards for scanning the code.
Before scanning a QR code in a public or business setting, ask security personnel or staff members to confirm its legitimacy first.
How to Protect Your Business From QR Code Scams
Keep your business and staff safe from QR code scammers with our advice below.
1. Provide Proper Education
Employees are unable to defend themselves against scammers if they're unaware of the threat and its consequences. Enroll every employee in cybersecurity training so they can learn the various techniques and behaviors that will keep themselves and the business safe from all types of scams.
The best line of defense against QR code scams is education. Protect your business by training each staff member to identify and react to scams appropriately.
2. Use Two-Factor Authentication
Enable two-factor authentication (2FA) on all business accounts to provide further security in case a scammer gains access to login credentials. Your employees will need to verify the action through a second method the scammer shouldn't have access to. Encourage all staff members to enable this feature on their personal accounts, too.
3. Install Cybersecurity Software
Effective cybersecurity tools and software can identify malware and warn users about suspicious websites before they cause any harm. You can also use reputable QR code scanning apps that alert the user of any threats after they scan the code.
How to Protect Your Business From QR Code Scams
ProCircular is a cybersecurity consulting company based in Iowa serving companies throughout the Midwest. Our team of IT and security specialists can help your business mitigate cybersecurity risk by discovering vulnerabilities and establishing robust defense mechanisms to resolve them.
We also offer security awareness training to teach employees to protect themselves and the business from outside threats, like QR code scams. Our comprehensive course covers vital topics like phishing awareness, password management, and security best practices.
Learn more about our training services and contact us today if you have any questions or want to get started.