If you’re one of the 73% of Americans who has scanned a QR code without verification, you’ve opened yourself up to malicious behavior and potentially to getting hacked.
As reported by CNBC, millions of people have been victimized by quishing as more and more bad QR codes have appeared in public places.
According to security researchers at NordVPN, more than 26 million people have been directed to malicious websites through illegitimate QR codes. Likewise, earlier this year the FTC issued a warning about QR codes appearing on unexpected or unwanted packages that – when scanned – would lead the recipients to phishing websites that steal personal information like usernames and passwords and even credit card numbers. These websites could also potentially download malware onto your phone or give cybercriminals control over your device.
Other places have issued similar warnings: The New York City Department of Transportation warned against QR codes appearing on parking meters that had fake payment links, and Hawaii Electric also warned customers about scammers that were trying to steal payments through QR codes.
A study done by the cybersecurity platform KeepNet Labs found that 26% of all malicious links are now sent via QR code; this may be because the use of QR codes is now more widespread as they're accepted in more places and because there are better protections in place for traditional email phishing campaigns.
Posters, billboards, flyers and official documents that contain legitimate QR codes can very easily be compromised by threat actors and switched to malicious ones by being pasted over. Think of this like scammers putting a fake keypad over an ATM or gas pump using credit card skimmers.
It can also be quite difficult for most people to determine if a QR code has been tampered with in this manner. Since QR codes were designed for convenience and not security, they’re ideal targets for hackers and scammers. In fact, their creator, who originally designed them to keep track of auto parts, never meant for them to be used the way they are today.
More dangerous than a traditional phishing email, QR codes make it difficult for users to read the encoded web address – indeed the human readable text can often be modified. This is why QR codes have been used more frequently by threat actors to infiltrate critical networks and accounts of military personnel as well as to distribute RATs (remote access trojans) which can give hackers access to targeted devices and networks.
How to stay safe
As with all phishing-style scams, the aim is to rely on victims being in a hurry or rushing to correct a problem which means that the best way to protect yourself is to remain calm, aware and vigilant.
Just like you wouldn’t click on an unexpected link or attachment in an email or text, you shouldn’t scan on any QR code you see pasted on a street sign, poster or advertisement. For instance, if the QR code is on the bottom of a poster or advertisement, search for that instead and then go to a company or an event's website directly.
If you do scan a QR code and get taken to a page, you wan to avoid filling out any forms asking for your personal information.
Likewise, you also want to inspect that site's URL for any suspicious signs. Does the website use a top-level domain like ".com" that you're familiar with? Or is it using one like ".TV" or one you haven't heard of before? This could be a sign that you're on a phishing page and not a legitimate website.
If you have an Android device, you can add an extra layer of protection with one of the best Android antivirus apps that can help provide protection against both malware and phishing attacks.
At the same time, if you're really worried about getting scammed or hacked, you might want to invest in one of the best identity theft protection services as not only can they help you get your identity back but they can also aid you in recovering any funds lost to fraud.
Now that QR codes and scanning them to access menus and other info has become commonplace, this threat likely isn't going away anytime soon In fact, it might actually get worse as cybercriminals devise new ways to use QR codes in their attacks. That's why it's up to you to be extra cautious whenever you interact with a QR code as failing to do so could have serious implications.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
