Scan a QR code and you can get information such as recipes, menus, website links and links to download apps, coupons and more. Quick Response (QR) codes were created to track automotive parts, but they’re everywhere now.
There are many third-party QR scanning apps, but you don’t even need one. Your iOS or Android phone’s camera can scan QR codes without the need for any additional software. Tap or click here for our detailed instructions.
While convenient and entertaining, scanning a QR code can expose you to malware and scams. Crooks use QR codes to steal credit card details and other sensitive information. Here’s what you need to know.
Here’s the backstory
Cybersecurity researchers at HP have been following a Chinese-language phishing campaign distributed through Office documents sent through email. The documents contain no malicious code — just some text and a QR code.
The senders pose as the Chinese Ministry of Finance and similar institutions, informing recipients they are entitled to a government grant. Of course, they’re advised to act quickly (a common tactic wielded by many scammers).
The document contains bits of information to make it seem more legitimate, such as copyrights and security notices. Recipients are told to scan the QR code using WeChat, a popular social media app that offers payment options and messaging.
Scanning the code leads to a webpage containing the same information as the Word document from the email. There’s a button to get the “grant application” started. There’s also a request for payment card information.
The unsuspecting victim enters their bank card number, and that’s it, right? No, it doesn’t end there. The crooks ask for more information, such as credit balance and limit, which they’ll likely use to get around fraud detection. But no matter what they use it for, the more information they have, the more damage they can do.
Just because this scam is making the rounds in China doesn’t mean scammers can’t do the same thing here. There’s no language barrier when it comes to crime.
HP has been tracking these campaigns since the end of October and says they are being distributed in high volumes. The messages are structured in a way that makes it easy for attackers to change the theme and lures as they see fit.
The QR codes force victims to switch to their mobile devices to input their details — and these don’t usually have the same protection against phishing websites that PCs do.
How to stay safe
Here are some tips to avoid QR code scams:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- Do not download a QR code scanner app. This increases your risk of downloading malware. Most phones have a built-in scanner through the camera app.
- If you receive a QR code you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site you navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.