Privacy

QR Code Scams

QR Code Scams

Mobile phones may open QR codes without checking if the content can be trusted.

QR codes seemed to be going out of fashion.  It can be faster to type in a URL into a web browser than open an App, scan a code and have the browser load the page.  One of the effects of COVID was to encourage more ‘hands off’ transactions.  QR codes became a feature of COVID awareness posters.  They have also appeared in pubs and restaurants theoretically linking to seat booking or menu pages on the Internet.

The QR code is exactly what it appears to be, an image that directs the viewer to open a webpage.  Many phone apps scan the code and immediately open the page written inside the QR code with no concern as to the validity of that page.  There is minimal danger of scanning leading to the direct installation of malware on a phone or tablet. Unless the device is set to allow sideloading apps through jailbreaking IOS or developer settings on Android only approved ‘store’ applications can be loaded. Webpages are still a security threat where they appear trustworthy and require the user to input personal information.

QR codes are amongst the simplest of computer tools to fake.  They can be created on-line or with basic applications; logos can be inserted within the code and the image set as a simple shape with minimal additional effort.  The graphic can then be placed within a convincing document, posted at a suitable spot and the scam is done.  The QR codes include no built-in security so the target has no immediate reassurance that any directed site is to be trusted.  The QR code below is an example of what can be created in a few minutes, not of good design.   If scanned with a camera it will go to the Kindus home page.

Kindus QR Code

A simple but effective scam ran in Austin, Texas in January 2022.  The information on parking pay stations was replaced by a fraudulent section that directed the scanner to a site allegedly collecting fees for the parking bay.  Naturally the parking authority did not receive these fees.  Other recent QR scams can be viewed at scamtracker and searching for ‘QR’.  Unfortunately the site only lists incidents from the USA and Canada but recent examples concentrate on the use of COVID ‘tracking’ codes to gather personal data for unlawful means.

QR scams are relatively easy to avoid.  The first step is to consider if the code really needs to be scanned.  What benefit would the user gain from scanning the code?  In our banner image scanning the code on the building might give information on the history of the building or it might not.  Why not simply write any historical information in clear text on the plaque?  If there is a purpose to scanning the code, such as making an order in a café then what personal information is the page asking for?  In the event of ordering food the restaurant might need the table number and how many guests but not their names or financial details?

There is a technology solution with some scanning applications showing the content text of a QR code before opening the linked page.  This option is also available within the camera of iPhones running recent IOS software.  This approach is not available to those possessing older devices or not wishing to use any device in an unknown environment so the user should always be presented with an alternative option in clear text to scanning a code.  If no such option is provided a potential user should stay away no matter how convincing the circumstances seem.

Leave a comment:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.