“I wouldn’t use the term ‘fake QR codes,’ but maybe use the term ‘fraudulent QR codes,’ the distinction being that a QR code can be real — it’s functional and will take the user to a website when scanned — but it may be designed to take the user to a fraudulent website that is posing as a legitimate site,” explained Zack Morrison, chief technology officer and cofounder of Brij, a platform that connects physical products and digital experiences through QR codes.
When the coronavirus pandemic hit, Quick Response (QR) codes became a popular means for governments and businesses to obtain relevant information from the public who require their services or goods. It’s been a quicker and safer means since there is no need for any physical contact and writing with a pen. The code just needs to be scanned, and the user is taken to a site where he provides information needed for his request or order to be processed.
QR codes have also been helpful in the massive efforts of government and health authorities to control the spread of COVID-19. For many countries, contact-tracing and community-based restrictions became easier with the use of these barcodes. All these advantages have made us feel that QR codes are totally safe and dependable.
However, experts warn that this is not true.
Criminals have been creating QR codes that would lead innocent people to fraudulent websites. These fraudulent sites have been designed to obtain data from their victims that would enable these unscrupulous characters to steal credit card information, financial records, and log-in credentials.
Moreover, according to Kaspersky, “Because humans cannot read QR codes, it is easy for attackers to alter a QR code to point to an alternative resource without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device. Aside from opening a website, these actions can include adding contacts or composing emails . . . Some websites do drive-by downloads, so simply visiting the site can initiate a malicious software download.”
If humans cannot spot a so-called fake QR code, how can we prevent ourselves from getting scammed?
With a good dose of skepticism and caution, experts say we can still outsmart criminals, as published in Reader’s Digest Asia:
- According to Eric Florence, a cybersecurity analyst with SecurityTech, “A legit QR code is never going to take you to a page that tries to scare you into inputting your personal information. If there are any fear tactics or time constraints, it’s a scam.”
- Beware of a QR code on a flyer. Craig Lurey, chief technology officer and cofounder of Keeper Security, advises people to refrain from scanning QR codes that don’t blend with the background. Also, QR codes on stickers should be avoided since criminals could easily place a sticker next to a flyer of a legitimate business.
- Take time to verify from an employee if a QR code in their store or restaurant is their real one before you scan. Someone might have replaced it without their knowing.
- Another way to make sure that a QR code is safe is to look at the URL of the website where it will direct you. Check if it’s the company’s URL or some strange website’s. If it’s unfamiliar, it’s best not to scan the QR code.
- But what if you have already scanned the QR code? Kristen Bolig, CEO of home security company SecurityNerd, shares these wise words, “Once you’ve scanned a QR code, look at the URL of the website to ensure that it is legit. For example, it should start with ‘https://’ and not ‘http://.'” If you find yourself in a strange site, leave it quickly. You must also not download QR code scanning apps since these often carry malware. If you can invest in a security app, it can provide you with better protection from scammers and data-gathering sites in league with marketers.
Experts also advise that it’s best to use two-factor authentication that can give criminals a hard time to access our online accounts.