QR codes have become commonplace in our everyday lives. With a quick scan from a smartphone camera, they offer a fast and easy way to find additional information, access services, or process payments. However, scammers have found ways to take advantage of their popularity and use them to steal money and information.
Protect yourself and your data by understanding how QR codes work and the common ways they’re exploited.
QR Codes—from Bus Stops to Baseball Games
QR (short for “Quick Response”) codes are two-dimensional barcodes made up of a unique configuration of black squares and dots. They can be scanned with your smartphone’s camera, which automatically translates the code into a message—often a website URL you can tap to open in your phone’s web browser.
QR codes pack quite a punch when it comes to usefulness and versatility. Because such a simple technology can provide quick access to just about anything online, there are countless creative ways businesses use them. Here are a few examples you’ve likely seen:
- Marketing and advertising: QR codes are often used in print and digital advertising to provide additional information about a product or service, or to drive traffic to a company’s website. For example, a QR code on a billboard or bus stop shelter ad might take you to a website where you can learn more about the product being promoted.
- Payment processing: Businesses can use QR codes to send someone directly to a payment processing app or site to facilitate quick and easy mobile payment. Many restaurants and businesses began offering this as a common form of contactless payment during the COVID-19 pandemic.
- Digital menus. Also during the pandemic, many restaurants began offering access to digital menus via QR codes displayed on their tables, in lieu of physical menus.
- Exhibit or venue information: Many museums, galleries, or other public spaces provide visitors with QR codes, so they can access additional information about the event or the space. An art gallery, for instance, may display a QR code at the exhibit entrance that takes visitors to a website with additional details about the artwork displayed.
- Event tickets or passes: QR codes are often displayed on physical or digital tickets for entertainment venues like concerts, sporting events, and shows. They are also used on passes to gain entry to places like museums and zoos.
Watch Out For QR Code Scams
While the technology behind QR codes is benign, scammers and hackers have found ways to use it to their advantage. Last year, the FBI released an announcement warning the public about the rise of QR code scams
A regular-looking QR code, for instance, might prompt someone to inadvertently download a malicious app or reveal sensitive or personal information. Here are some examples to watch out for:
- A physical postcard that appears to be from a legitimate company (like Amazon) offers a chance to test a new product for free and prompts the recipient to learn more by scanning a QR code. However, the QR code leads to a website set up by scammers to collect personal information—like name, address, and account details.
- A QR code stuck to a parking meter offers a convenient way to pay for parking. Scanning it leads to a fake payment portal that steals credit card information and deposits payments into the scammer’s bank account.
- A QR code at a restaurant offers contactless payment. However, the legitimate QR code displayed at the table has been discretely covered up by a sticker with a fraudulent code. The fake code prompts the diner to set up an account—presumably for the restaurant’s reward program—and steals the diner’s personal information.
- An email that appears to be from someone’s bank asks them to log into their online bank account by scanning a QR code in the email. The QR code leads to a fake, yet legitimate-looking, login page that collects the recipient’s bank login name and password, giving the scammers access to the funds in that account.
Protect Yourself Against QR Code Threats
QR codes can be a wonderful tool, but it’s important to remain vigilant and aware of misuse.The best way insureds can protect themselves and their companies is by being aware of trending threats and how to avoid them.
According to Taras Shalay, Jencap’s Midwest Region Managing Director and cyber expert: “Develop a habit of taking a closer look at QR codes before scanning. If a QR code or a site it brings up feels or looks “off”— misspelling, formatting that doesn’t match a company’s brand, or a weird-looking URL—take a few extra minutes to confirm legitimacy before proceeding.”
The next time you see a QR code, use these tips to keep yourself and your data safe:
- Verify the source. Only scan QR codes from businesses you know and trust. After scanning a code, take a close look at the URL and make sure it looks authentic.
- Double-check physical QR codes for tampering. If the QR code looks like it’s a sticker placed on top of another QR code, don’t use it.
- Only use your phone’s built-in QR code reader. Third party QR scanner apps can increase your chances of downloading malware.
- Never download apps directly from a QR code. Use your phone’s app store instead. Apps available from your phone’s app store are rigorously tested and less likely to contain malware.
- Don’t use QR codes sent in emails. Email security tools like URL scanners can’t identify suspicious links embedded in QR codes.
- Always be wary of using QR codes to make payments.
- Avoid entering login details on a site navigated through a QR code—even if it’s for a company you are familiar with. It’s safest to navigate to the company’s website separately and enter your log-in information there.
Although it’s important to proactively guard your insureds against cyber threats, adequate cyber insurance provides businesses with an additional, necessary layer of protection against the unexpected. Reach out to Jencap to speak with a cyber liability expert and get a quote today.