SEATTLE — If you haven’t heard of QR codes, you’ve probably seen them. Little black and white boxes you scan with your camera, your phone interprets, and then everything from menus to deals pop right up on your device via the internet.
And they’re everywhere now.
“Yeah. And they’re a cool technology. And that means they’re subject to abuse, like all the cool technologies, right?” says our cyber security expert, Tim Helming.
Tim Helming is with Seattle-based firm DomainTools and has 20 years of experience in information security. He says scammers are always learning new tricks - and they’re now in the game, turning QR codes into your misery.
“It could be that they are making a fraudulent payment. It could be that they are downloading malware onto your phone,” says Helming. “So, any of those things - if you think about anything that an attacker could do through a malicious link to a phone, they can do the exact same thing through a QR Code.”
The other issue at play is that a person can hover your mouse over a link to check if a web address is legitimate, before you click. A QR code doesn’t give consumers that chance.
“You have fewer ways to validate what it is that you’re about to get to,” says Helming, “than you do if it’s an actual link.”
The BBB scam tracker shows one person last month lost more than $65,000 in a scam that used QR codes.
So, Tim says consumers need to consider the source before pointing and clicking.
“If I saw a QR code that was slapped up on a telephone pole or the side of a building or something like that, I don’t care how tempting the offer sounds, I am running away from that thing. Nothing to do with it,” says Helming.
We went around Seattle and we literally saw just that.
QR codes do not have to go through any type of vetting before they’re provided. I got on the internet and found a number of websites that offer QR codes for free. Just pop on the site, enter the website you want the code to send people to, and you’re good to go.
Tim says to imagine the ease with which a scammer could make this happen and download malware onto a phone.
“It could be a credential-harvesting kind of thing where they want you to enter log-in information and then they have your username and password for some major account,” says Helming. “Worst-case scenario is the same as any kind of phishing attack.”
Here’s what you do to protect yourself, according to the Better Business Bureau:
- If someone you know sends you a QR code, also confirm before scanning it.
- Don’t open links from strangers
- Verify the source of the code.
- Install a QR scanner with added security.