Scan QR Codes Safely (If You Are Careful)

Posted on by

Last month, the FBI reiterated the dangers of ” juice hacking ,” an alleged practice in which attackers steal data or install malware on your smartphone through public chargers. The problem is that there have been no documented cases of scams in the wild , which could lead some to view digital security warnings, say QR code scams, as just another tech moral panic. However, QR code scams are very real and you should be vigilant. But don’t bother with them.

QR code scam in the news

Recently, QR code scams have become more and more popular. According to Bleeping Computer , scammers stole $20,000 from a woman in Singapore after she scanned a QR code purporting to be a survey for her local bubble tea shop. The ad promised a free cup of milk tea for taking the survey, so she scanned and subsequently downloaded the app when it was asked to take the survey. As you may have guessed, this app had nothing to do with a bubble tea shop. It was all about installing malware on her phone and stealing $20,000 straight from the victim’s bank account.

Redditor hamsupchoi posted a post to r/sanfrancisco last week to warn others in the city about the fake parking ticket scam they’ve caught. Their “parking pass” looked legitimate at first glance, but it had a city seal that a real parking ticket wouldn’t have, and the “pay online” QR code actually gave access to the victims’ bank accounts.

And the Better Business Bureau has exposed the FAFSA scam , in which scammers trick you into thinking they can help you pay off your student loans. The QR code “helpfully” takes you to the official website “studentaid.gov”, but of course it’s all fake and all the money you pay to the site goes to the scammers, not your loans.

How QR code scam works

For the most part, the risk of simply scanning just a QR code is very small. The danger comes from what you do after scanning the code. Fraudsters can design their QR code to install malware on your device to steal data or display ads in the background. But they can also create a website that looks like the official one but is actually stealing information like your login credentials.

Consider one of the examples above: a victim scanned a QR code at a tea shop that led them to a prompt to download a third-party app on their phone. This is red flag number one: don’t download an app using a QR code unless you’re 100% sure that the organization behind the code is legitimate. This is the first entry point into your phone for intruders.

However, the app alone would not be able to steal $20,000 from the victim. As soon as she opened the app, it asked for permission to use her phone’s microphone and camera, as well as the Android accessibility service. This last permission allows the app to control the screen for accessibility purposes, but for attackers, it’s a way into the victim’s life. From there, they were able to obtain login credentials from the victim when she was using her banking app, allowing them to access their finances without the victim’s knowledge. Yes.

In another scenario, a QR code could lead to a website you think is legitimate, where you’ll be prompted for your username and password, but nothing happens when you try to log in. This is because the “site” is actually a fake one, existing for the sole purpose of knowing your login credentials. If the QR code is intended to take you to a site where you have an existing account, like Amazon or your bank, go there yourself instead, or at least make sure the URL doesn’t look suspicious.

How to Safely Scan QR Codes

So, are QR codes so dangerous to scan? Not at all. Even as the world returns to normal after COVID and you can hold a real restaurant menu again, QR codes are everywhere and many of them are legal. They have their uses, and there are ways to be safe when scanning them.

In this article, we’ve covered some useful security tips for scanning QR codes. For example, it’s a good idea not to trust any QR code you come across. QR codes are easy to make, so attackers can place them in places they hope people will scan without thinking.

Also, if you know where a QR code is trying to take you, such as a restaurant menu or a company website, try to go there yourself without a QR code. In some cases, this won’t work, but just google the name of the restaurant and find the menu. Just make sure you don’t fall for a fake Google ad disguised as a real link . (Scammers are everywhere, folks.)

But with QR code scams all over the news, I think there’s room for one more piece of advice to protect yourself when scanning. Do not give any permissions after scanning the QR code , and do not download apps or files when prompted. In 99% of the cases, what’s on the other end of this QR code doesn’t need access to your phone’s camera, microphone, location, or, worst of all, accessibility features. The menu at your favorite restaurant will do just fine without all that, and the bad guys can’t pull off their scam unless you give them the opportunity to do so. Read all pop-ups carefully and don’t agree with anything that you don’t understand or disagree with.

With this approach, scanning QR codes instantly becomes much safer. If you’re scanning something that asks you to grant permission to your accessibility settings or download a third-party app to continue, step back, get on with your day, and be proud that you’ve just ruined some copycat hacker’s day.

More…

0
Security

Leave a Reply