During the Super Bowl in February, one ad grabbed a lot of attention: a mysterious bouncing QR code that enticed viewers to point their phones at their screens and click through to an unknown website. (Spoiler alert: It was for
) Within seconds, more than 20 million people had done just that, crashing the cryptocurrency-exchange platform.
The incident illustrated just how willing people are to click on QR codes, but unfortunately for consumers, marketers aren’t the only group that understands this. Two months before, in December, a much darker scenario involving QR codes unfolded when malicious actors placed QR-code stickers on parking meters in major Texas cities, directing drivers to a fraudulent website where they supposedly could pay for parking.
“People were tricked into putting in their credit-card information,” says
security threat researcher at Symantec, part of Broadcom Software’s security technology and response division. “It was a really well-done attack.”
While QR-code scams aren’t common, the risks are rising, security researchers say. The Better Business Bureau’s Scamtracker site lists just 46 QR code-related attacks in the U.S. since March 2020. But as consumers become more accustomed to using QR codes—there has been a 750% increase in QR-code downloads since around March 2020, according to link-management service Bit.ly—security officials expect more attacks. The FBI even released a statement in mid-January about QR-code schemes to raise awareness.
In a typical scenario, scammers post a notice—often posing as a business or other organization that people recognize and trust—that includes a quick-response code, a type of matrix bar code that stores information. When scanned with a camera or app, the code leads to a webpage that might ask unsuspecting users to enter personal information such as a credit card, which is then stolen, or it may install malware to gain access to victims’ devices in perpetuity.
Originally devised in the 1990s by a subsidiary of Toyota to track cars and parts during manufacturing, QR codes replaced things like menus, tickets, brochures, package-tracking numbers and boarding passes as the country moved to “touchless” interactions when the Covid-19 pandemic hit. Rather than handing out menus, for example, a restaurant might ask patrons to simply scan a square matrix bar code with their smartphone cameras, which would lead them with one click to a website where they could view the menu. Now those squiggly squares are seemingly everywhere.
SHARE YOUR THOUGHTS
What precautions do you take, if any, when scanning a QR code? Join the conversation below.
When they’re malicious, QR code scams are essentially a new form of phishing attack, where scammers direct victims to a bogus website, and proceed to ask for personal information. Most smartphones “just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is,” says
director of cyber intelligence and analytics at artificial-intelligence cybersecurity firm
so users may not know they have been had. What’s more, he says, adept attackers can use a QR code to send users to a spoof site for exploitation, then pass the information users enter on to the authentic site—an action called a “man-in-the-middle” attack” in cybersecurity parlance.
Scammers are exploiting a decision-making mechanism smartphone users have taken for granted: urgency bias. “A QR code is a tool to encourage a quick action from a consumer,” says
principal fraud analyst at Digital River, which helps brands navigate the back-end processes of online selling. Ads like the Coinbase Super Bowl spot, he says, normalize the point-and-click response. “I couldn’t help my hand wanting to click on my phone and scan the QR code, and that is dangerous,” says Mr. Cheung. “It’s so unconscious, you have to really train yourself out of the habit.”
More work for scammers
Some experts expect QR code scams to remain rare. While it’s easy to make a QR code that sends users to a URL that looks authentic and asks for login credentials or bank information, “the good news is that criminals are lazy,” says
vice president of security research at
a cloud-computing and security services provider. “Having to physically place QR codes around a city and making them look perfect, rather than just sending simple phishing emails, is extra work,” he says. Symantec’s Mr. Chien says having to be physically located nearby to swap out restaurant menus or put stickers on meters doesn’t lead to a good return on investment compared with, say, “breaking into banks and stealing the account information of millions of people in minutes.”
According to security researchers, there are some simple rules to follow to avoid being had by a QR phishing scam. Mr. Chien says to only scan QR codes that are “baked in,” meaning they are printed on a device or other informational material at the time of manufacturing, not stuck on after the fact.
“Most legitimate QR codes are not a sticker someone has added on,” he says. If you do scan one, check the domain that pops up on most smartphones before clicking. The parking-meter scam in Houston, for example, sent users to now-defunct “passportlab.xyz,” that then directed them to log into a “Quick Pay Parking” system. That should have been a red flag, he says, since a legitimate QR code from a city would likely lead the user to a municipal website, usually ending in .gov or .org, or to an obviously city-run app (typically advertised by being printed on metal and affixed to a pole).
The best way to thwart would-be scams is to manually input the desired website when a QR code seems fishy or untrustworthy. Installing a QR-code scanner app with added security can also help identify swindlers, should you choose to scan. The rest comes down to standard cyber hygiene and practices everyone should employ to prevent against any manner of phishing attack: Use a password manager, which won’t autofill your credentials on a suspicious site; make sure your credit cards have functions to protect against theft and fraud; don’t input personally identifiable information on an unknown website.
When in doubt, says Digital River’s Mr. Cheung, go old school. “QR codes usually have redundant options,” he says, so ask for a printed menu or pay with cash. “Anything that can be encoded, people will figure out how to turn into a scam,” says Mr. Benjamin.
Ms. Mitchell is a writer in Chicago. Email her at firstname.lastname@example.org.
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8