The QR Code is today a very popular tool that is used in many places, such as restaurants, gyms, travel agencies, coffee shops, supermarkets, hospitals, stores, pharmacies and even in advertisements on social networks or on TV. A major factor that contributed to its popularization was the COVID-19 pandemic, where commerce looked for different ways to survive through the digital medium. However, like everything that is successful, the QR Code ended up attracting cybercriminals who are using the tool to steal information and carry out scams.
For those unfamiliar, the QR Code was created in 1994 by Masahiro Hara of Japanese automotive company Denso Wave. Its appearance is similar to a bar code, but instead of being rectangular, it is square. Like the bar code, the QR Code can be read using an image sensor and one of the most common ways to do this is using a camera on a mobile device such as a cell phone or a tablet. . When reading the black and white image, a code will be identified, which is usually an address for accessing a website on the internet.
Why can the QR Code pose a threat to those who use it?
Today’s QR Code is simple to generate and use. Due to this great ease and current popularity of the technology, in the last 2 years there has been an increase in the activity of cybercriminals using the QR Code to gain access to the victim’s cell phone and consequently to personal information, even being able to access the victim’s bank account.
CyberArk, a specialist in identity security, reports that in January 2022 the FBI said that “cybercriminals were manipulating legitimate QR Codes to redirect victims to malicious websites, which ended up stealing financial login data”. That is, the QR Code is being used to apply scams directing victims to sites that resemble something legitimate, where it is customary to ask for various data from the person.
Through some social manipulation techniques, the cybercriminal can carry out phishing attacks on cell phones. This can lead the scammer, according to CyberArk, to “spoof the password lock on the victim’s device, which upon entering username and password, allows the attacker to gain access to all of the user’s passwords.”
QR Code: Seven things you should pay attention to when using
To prevent you from being deceived when using a QR Code, CyberArk recommends seven precautions that people should take so as not to have their information stolen and end up losing access to various services, including banking.
- Do not scan! If something seems wrong, the ideal is not to scan the QR Code, just access the site directly. All real code should have an associated URL underneath to give the user the option to navigate there. If it is missing, it may be doubtful.
- Don’t be in a hurry. Before scanning any code, it is important to ask yourself if you know who inserted the QR Code there, and if you trust that person or company. Does it make sense to use this code in this situation?
- Closely inspect QR Code URLs. After scanning the QR Code, it is essential to verify the link that directs it before continuing access. It’s also important to check if it matches the associated organization, looks suspicious, or includes strange misspellings or typos. For example, in the Texas parking meter scams, part of the URL used was “passportlab.xyz”, clearly not an official city government website. You can also do a quick web search, looking for the URL in question, to confirm that the QR Code is authentic.
- Look for signs of physical change. This tip is especially important in places where QR Codes are used frequently, such as restaurants. If you have a QR Code sticker pasted on top of another code, it is reason to be suspicious.
- Never download QR Code apps. Malicious people can easily clone and spoof websites. To download an application, the ideal way is to go to the official application store of the device’s operating system and download it directly from there.
- Do not make electronic payments through QR Codes. It is better to use the official app or go to the website with the official domain to log in there.
- Enable multi-factor authentication (MFA). This helps protect sensitive accounts such as banking, email and social media apps. With another layer of authentication, a cybercriminal will not be able to access a victim’s data with just the username and password.
In the end, it is always good to analyze the situation and think if the QR Code you are scanning was accessed in a place (physical or online) that is considered reliable, safe. That way there will be a lower chance of you being attacked and having your information stolen.
To be sure of the reliability of the QR Code, always check if what you are accessing is official. Just access the social networks of the company or person or, if it is a physical establishment, observe if there is any change that makes the QR Code that is pasted different from the others in the place or that it has a very dubious image quality.