If you haven’t been living under a rock over the past 24 months, the chances are that you would have scanned a QR code somewhere. Even the federal Indian government has pushed hard to get citizens to shift to digital payments, which is convenient as also trackable for tax purposes.
Into this milieu came the QR codes or the quick response codes. These codes were invented in Japan back in the 1990s as a means to manage automobile production. Now, the ubiquitous code is everywhere – from the grocery store to fuel stations and airports to parking lots.
In fact, there are several websites that allow users to create their own QR codes. Even WhatsApp creates one for you on the fly to make it easier to connect to your account via the browser. This is both a tremendous opportunity as well as a raging problem that could be the harbinger of future scams.
Now, it turns out that cyber criminals too are watching these developments carefully in the hope of exploiting the convenience that this technology offers. Last October, cyber security firm McAfee had warned of such scams, especially in economies that were migrating big time into digital payments – countries such as India.
While it is normal for cybercriminals to try to exploit every new technology, it is all the easier when people know how to use one but do not understand how they work behind the scenes, says Angel Grant, VP of security at F5 in a report published on CNET.
Given this scenario, we take a look at the sort of cybercrimes that the QR code can engineer and how we can skirt around them:
Common scams involving QR codes
An email or phishing scam – Once upon a time we would warn you of the dangers involved in scanning bogus QR codes to your smartphones by downloading malware. Now, cybercriminals have moved. The codes you may find on scam websites are now designed to capture your bank accounts, credit cards and other personal data.
Automatic toll booths – A recent scam at the US saw the same QR code being used to dupe drivers pay road tolls or parking tickets online. Instead of taking them to the authorized app, the code took motorists to to a fake website that then collected their credit card details.
QR codes via email – These innocent looking emails could be from your local police asking to pay up for a traffic offence or your electricity company. Without giving any details of the payment due, it may ask you scan a QR code, only to capture all your data and use it later to fleece.
Social media – Beware of all types of flyer on social media platforms. For it is well within the capabilities of a hacker to replace a legitimate QR code with a phoney one, just as they can in public locations.
It is worth noting here that there is no way to look at a QR code to determine it’s legitimacy. Of course, you could spot a clever misspell or a typo or better still an adaptation of a legitimate URL, you’re lucky.
Also, the QR codes have the capability of accessing other functions and apps on your handset, with hackers usually tracking them to open your payment apps, contacts lists etc. to expand their scam.
QR Codes – How to stay safe
- Do not open QR codes from strangers – Unsolicited messages carrying these codes may lead us to a scam site or provide access to the handset that could be used in nefarious ways in the future.
- Check the legitimacy of even legitimate sources – Many of the phishing mails originate from sources that appear legitimate. Check them carefully, including their URL. Also go back to the official website and confirm or contact customer care to counter-check.
- Seek alternate payment methods – QR code is usually not the only method of payment a company offers. So, if you get a bill with a QR code, check another option with those that are seeking the payment. A quick check will reveal whether the requested payout is legitimate.
- Beware of the shortened URLs – Especially when it is part of a payment activity. Usually these are part of unsolicited communication, which means you can simply delete these emails and breathe. Ironically, it could also purport to come from a friend or family who has got her / his device compromised.
- Check before scanning codes – But for QR codes kept in public places like stores where the owner will confirm your transaction, be wary of every other QR code that you find at places without human presence, such as a parking lot in a mall. Do confirm the veracity of the code before swiping it.
- Be aware of tampering – One tell-tale sign of a tampering is a QR Code stuck over yet another one beneath. If there is a human presence in the vicinity, it makes sense to double check but if there isn’t avoid the QR code like the plague.
- Preview the QR code URL – Smartphone cameras could give you a preview of a code’s URL as you start to scan it. If the URL looks strange, you might want to stay away. You could also use a secure scanner app to spot malicious links.
Want to know about the latest happenings in tech? Follow TechRadar India on Twitter, Facebook and Instagram