If you found a free USB drive lying on the ground, or a stranger on the street handed you one, would you plug it into your work computer? Hopefully not, as you should know that such a move could compromise your machine or your data.
And yet, some computer users tend to let their guard down when it comes to scanning QR codes with their devices. It’s a similar scam concept to a physical USB drop, but with a different delivery method.
In recent months, we’ve witnessed a series of alerts and reports on QR phishing schemes – also known as quishing – whereby malicious actors trick mobile device-holders into scanning codes that lead to a malicious website or a document designed to steal information or install malware. These weaponized codes can be found in both physical spaces and email communications.
In September 2023, the Health Information Sharing and Analysis Center (H-ISAC) issued a notice warning the medical sector of an increase QR phishing attacks. “The use of QR codes to augment malicious operations has increasingly become a common tool abused in phishing campaigns,” the H-ISAC bulletin states. “These observations represent the first time that QR codes have been used in this magnitude, indicating threat actors are likely testing their effectives as an attack vector.”
QR codes are everywhere these days – including on advertisements, restaurant menus and product packaging. And while many of these codes are benign in nature – designed to provide users with quick online access to useful information – some could be planted with malicious intent.
Someone up to no good could easily choose a strategic location – perhaps near a targeted business of interest or at an industry convention – and pass out phony business cards or fake marketing materials containing a malicious QR code. They could even potentially stick a malicious QR code over a legitimate one on a menu or advertisement sign, perhaps in an attempt to send unassuming device users to lookalike phishing site.
An August 2023 Better Business Bureau report detailed a particularly clever scam involving fraudulent QR codes placed on the back of parking meters – “leading victims to assume they can pay for parking through the QR code if they do not have change,” it said. “After paying for the spot through the QR code, some victims return to find their vehicle has been towed or received a parking ticket for non-payment, multiplying the amount of money lost.”
The bottom line is that QR codes found both in emails and in public spaces should be treated with skepticism and a critical eye – especially when they’re found on materials that could have been distributed by virtually anyone. As the BBB put it: “While the way victims are exposed to QR code fraud varies, a common theme identified in reports is that most come from unsolicited communications or a QR code posted in a publicly accessible location.”