QR codes experienced an exponential increase in prevalence during the touch-free days of the COVID-19 pandemic, and they are now ubiquitous. Who does not appreciate these scannable shortcuts to information and rapid, frictionless payments, from menus to forms and posters?
QR codes are now utilized for a significantly different purpose: as a tool for fraudsters.
The Federal Trade Commission issued a warning in December 2023 regarding a novel form of phishing. The scam, which is appropriately named “squishing,” employs QR codes to deceive individuals into disclosing their confidential information.
Tips on how to avoid being scammed by QR codes from unexpected gifts https://t.co/QQEJg0vmvP pic.twitter.com/azoq3XQcki
— Eyewitness News (@ABC7NY) August 29, 2024
Scammers send emails online that contain QR codes that contain URLs to malicious websites. These websites appear legitimate under the guise of package monitoring emails or by impersonating known senders, such as human resources representatives or CEOs. In emails alone, the cybersecurity platform Trellix identified more than 60,000 QR code fraud attempts during the third quarter of 2023.
Criminals change real QR codes with fake ones that are posted in public places like parking meters, menus, and signs. When the QR code is read, the links inside it may automatically download malware, open payment websites, or try to trick users into giving up their personal information or logins. Bad people can take over devices or pretend to be users when they get access to private data. This helps the scam by tricking people in the victim’s networks.
People can get QR codes, but most people don’t know what risks they pose. Regular security software might not notice these scams because QR codes look like pictures or PDFs that hide their URLs. The sneaky strategy also uses the fact that smartphone security isn’t as strong as computer security, and many people who learned to believe QR codes without checking every pixel aren’t aware of scams.
Right now, a lot of quishing scams are getting by.
In May 2023, the first big effort to get rid of quashing files went after Microsoft users at a major U.S. energy company. By the end of March 2024, the number of emails trying to get rid of spam had grown by more than 2,400%, or 270% per month on average. In the same month, Osterman Research and Ironscales released a study that said more than three-quarters of the companies they surveyed had been quashed in the previous year. This included a lot of IT companies. In a strange twist, 77% of those who answered were “very” or “extremely” sure that their technology could detect security risks.
According to Abnormal Security’s H1 2024 Email Threat Report, about 9 out of 10 (89%) quishing attacks that their technology found were multifactor authorization requests meant to steal users’ passwords. As for quishing, the study found that in the first quarter of 2024, 42 times more cyberattacks were aimed at executives than at employees. Executives may be more vulnerable because they have more security clearance and can get to private information that phishers want.
An Ironscales Principal Technology Strategist told SDxCentral that Quishing is “just the first example of many other types of image-based attacks we’re going to see.”
QR code experts share five hacks to help keep you safe before you scan any codes. https://t.co/C0DOlZcvr1
— Times LIVE (@TimesLIVE) June 27, 2024
With the rise of AI-based tools, smart phishing scams are harder to spot, but consumers can feel more in control when they know more about them. Uniqlo advised on how to spot fake QR codes and avoid falling for scams.
Sticker scams should be avoided
Real QR codes can look a lot like fake ones, so check for any problems before you scan. If the QR code on a menu or sign has bumps, peeled edges, or looks like it’s stuck, don’t scan it.
Change the OS and apps on your phone
Making sure your phone has the most recent operating system is the first thing you should do to protect yourself from harmful QR codes. Another important safety measure is two-factor authentication software that checks your name using your phone or apps.
You can stop automatic downloads
Scammers can cause a lot of damage before users even know it when they use QR codes and other picture files to spread malware and other bad content. A 2023 Mimecast study says that users and organizations can be safer if they set up their email settings to stop images from loading automatically.
Don’t respond to senders you don’t know, and check those you do know twice.
Do not scan a QR code, open links, give information, or download files if you get an email from someone you don’t know. When hackers use well-known brands like Microsoft, DocuSign, and Amazon, it’s harder to catch them. This is because scammers now use companies that are important at the time, like pretending to be Amazon before Cyber Monday. If you get a strange email from someone you know, call them and make sure it’s them. If you think an email is phishing, don’t click on it; report it.
Also Read: Facebook Changes Its Classic Icon: Glitch or Intentional Update? (As of 2024)
Don’t fall for fake rush
People who are qualified use tricks to get people to act right away. For example, companies might ask you to call them to reschedule deliveries, or they might say your account was hacked and ask you to check your information. The Federal Trade Commission says that people should look at URLs that are related to QR codes for red flags like random strings of letters, misspelled words, or letters that are switched around.
Believe your gut
People who are good at following their gut can also avoid the quashing mistakes. The best way to avoid most scams is to stay away from deals that don’t seem real and people who try to get you to feel bad. Also, never give out personal information like Social Security numbers.
Care should be taken before you check. QR codes can be sketchy, just like files and links. AI-based picture recognition software might be able to help find fake QR codes, and hopefully, scammers will be caught. For now, using common sense is also fine.