Staying Safe From Fraudulent QR Codes

‍

QR codes are becoming ubiquitous. You'll find them just about anywhere -- in the street, at restaurants, on packaging, and even in your inbox. However with their rise in popularity, QR codes have become a popular tool for exploitation by hackers and scammers. Paying a parking meter, logging into an account, or being directed to an e-commerce website from codes are all seemingly harmless actions can be manipulated into a fraud tactic.

Like any other digital interaction, using QR codes can put you at risk of scams and hacking. This isn't to say that all QR codes are unsafe, but that everyone should interact with them with similar caution as other technology.

This article is here to help you navigate the novel world of QR security threats and best practices to keep your information safe.

In a highly digitized world, our devices have become similar to our homes – they’re filled with sensitive personal information like financial documents or access to your professional accounts. While it's common knowledge not to share sensitive information over the phone or on fishy links received via text, most people don’t apply this same wariness to QR code interactions.

With the proliferation of QR codes, our smartphone cameras acts have become a new front door into our ‘digital homes’. If someone can convince you to scan an unprotected code, you may unwittingly be letting them into your device filled with sensitive information. Once that door is opened, this leaves you susceptible to information robbery by scammers, or at the very least, may frustratingly land your phone number on a telemarketer’s list.

What are the main QR security threats?

Here are a couple methods hackers use QR codes to ‘break in’:

QRLJacking (Malware Attacks) – when you scan a QR code, it prompts and dupes users to download fake apps or take other actions that trigger the installation of harmful software (to gather information, spy on activity, or lock devices).

“Quishing”(Phishing Scams) – hackers know it’s easy to spook someone with traditional text or email phishing, so they use misleading or seemingly harmless ‘trojan horse’ QR codes and webpages to gather your information.
In Austin, TX fraudsters replaced parking meter QR codes with fake codes that tricked users into sharing credit card information
Recently, German e-bank users were targeted via email with malicious QR codes to that stole their account information

Where might you encounter these fraudulent QR codes?

By using a 'QR scanner app'
Embedded in e-mails from fake accounts
Fake QR codes overlaid on billboards or other public areas

‍

What are main privacy risks?

While security threats can cause tremendous damage, they are rarer than more commonplace day to day infringements on digital privacy. Privacy refers to our ability as consumers to control how much information we share; while less severe of a threat, it is equally important.

Most QR providers focus on collecting non-personally identifiable information – think IP address, location, scan numbers, etc – and will send a push notification request to gather more specific data about your behavior, or ask you to manually enter it. That said, the lack of regulation in the QR industry means that what most QR providers do with our data is largely a black box.

Third Party Data Sharing: QR code providers aren’t always held accountable for what they do with your data. Providers who don’t have certifications around security and privacy aren’t bound by any laws to not share your information, or even encrypt it securely. This means that unless QR providers have a stamp of approval through broader legislative certifications, there’s no guarantee they aren’t gathering and reselling your personal information.

Unfortunately, most QR codes are indistinguishable. With many generic QR code providers, you have no true idea of who created it, what information they are gathering from you, and how they intend to use it.

Thoughtlessly scanning a code from an unknown provider can be akin to opening your door without checking who knocked on it first – it puts you at unnecessary and preventable risk from exploitation. This is why it’s important to approach codes with some skepticism. If we treat our devices as sensitively as our homes, we can fend off a lot of the risk and keep our information safe.

How can I keep my information safe?

Use your street smarts:
Context clues are always helpful. A lonely QR code in a random high traffic area, or a damaged or covered code is likely sticker bait from a hacker – avoid these.
Trust your gut. If something seems fishy, it very well could be – listen to the same voice that tells you not to click on that random link from an unknown number. If you’re still curious, try to search the URL manually instead.

Avoid “QR scanner” apps:
You don’t need a special app to scan a code, your smartphone camera is perfectly fine. These apps are often developed to trick users and download harmful software onto your device.

Be discerning with websites:
If you’re directed to a website, check for common signs of cyber foul play – poorly built websites, typos on pages or URLs, could all be signs of a data-scraping fraud website. If a QR code directly asks you to enter sensitive information (credit card, medical, etc), you should be on high alert. Do some googling.

Adopt good cyber-hygiene:
Store information securely. If you store sensitive passwords, documents, or other information on your phone, consider downloading an encrypted notepad to keep this information extra secure.
Keep your accounts locked. Use a trusted password manager and two-factor/multi-factor authentication to ensure that important accounts (especially professional ones) remain protected.
Stay updated. Keeping your device on the latest operating system ensures that your device provider can help protect your information too.
Download antivirus and anti-malware software for your device.

Look for codes you can trust – Flowcodes!
The surest way to stay protected is to use and interact with a provider that is committed to privacy and transparency. Most Flowcodes are co-branded, showing our logo right on them. We also share our privacy policy up front with our Privacy Smile -- you can look up the details of our policy before you scan.

Now that you've learned about the potential fraud risks that exist with QR codes, help spread the knowledge and keep aware. Treat your device securely and always think twice about the context and security of QR codes you encounter. Flowcode makes it easier than ever to ensure your safety and peace of mind.