QR Code Threats: Quick Response or Quick Risk

QR codes (Quick Response) are not new but have become extremely popular over the last several years. Sadly, as technologies and human behaviours evolve, so do the risks as fraudsters often adapt faster. QR code creators convert this information into binary and display it as a pattern of squares and spaces; a square barcode. QR code readers do the reverse, converting the binary into usable information. Businesses use this technique and technology for many legitimate purposes, but unfortunately, scammers can also misuse it for fraudulent activities. This article explores the risks and countermeasures.

• Phishing – Scammers can create QR codes linking to fake websites that mimic legitimate businesses in much the same way phishing emails include links to fraudulent sites. Scanning the QR code may unknowingly provide fraudsters with sensitive information. E.g., login credentials and credit card numbers.

• Malware – QR codes can link to websites with malicious content, such as viruses and spyware. Again, this is similar to what happens with phishing emails, but with a difference: you are looking at a square barcode rather than at a link. The link information will not be available until your scanner reads the code.

There are many legitimate uses of QR codes, and it would be a shame if the fraud discourages businesses from using the technology and realising its benefits. Protecting yourself from becoming a QR code fraud victim requires examining the context and situation in which you use them.

Here are some detailed examples and scenarios to illustrate how the technology is in use, how fraudsters target their unsuspecting victims, and countermeasures, which primarily involve being more mindful and taking extra precautions when scanning:

• Business cards, product packaging, and printed advertisements – linking directly to websites to allow quick access to product and service information

• Utility bill payments

• Airline tickets

• Cinema or theatre tickets, concerts, conferences, or other venues that facilitate paperless entry

• Contactless payments through Google Pay, Apple Pay, or any number of mobile banking applications

• QR codes at tourist attractions to link through to historical information or provide current map locations

• Labelling equipment, spare parts, and other warehouse items makes it practical for supplier chain, inventory management and tracking products from production to distribution – the QR code originates from labelling car parts in Japan.
  • The Universal Product Code (UPC) Barcode consists of 12 digits and often needs multiple barcodes to capture the required information.
  • QR codes provide the capacity to store significantly more data – 3 kilobytes.
  • The quantity of useable information differs depending on the data type – numeric, alphanumeric, binary, or Japanese.

• Patient wristbands to provide quick access to critical health information in hospitals

• Emergency contact information

• Restaurant menus, ordering and bill payment

General countermeasures to help protect you against QR code fraud include:

• Don’t scan QR codes from sources you don’t trust
  • Verify the origin and legitimacy of QR codes
  • Use official websites and apps from reputable companies.
  • Avoid scanning QR codes if you have never heard of the company
  • Avoid scanning QR codes from unsolicited sources

• Be suspicious of unsolicited QR codes received via email, text messages, or social media, as these are unnecessary:
  • Scammers use these channels to distribute malicious QR codes
  • Businesses would never need to send the information through a QR code; they would send readable text and links through these channels.
  • The exceptions include, for example, QR codes for train tickets, theatre tickets, airline tickets, or other events in the future where the QR code allows paperless entry but would be in response to making a purchase and not unsolicited.

• Examine QR codes closely before scanning. Look for any signs of tampering; if anything looks suspicious, don’t scan the code. Consider:
  • Anything that looks like an alteration or anything added
  • If someone has placed a new QR code sticker over an original

• Check the web address before entering personal information or making payments, and make sure it matches the business’s official website.

• Keep operating system and application software up to date as developers frequently release new updates to address security vulnerabilities.

• Install reputable antivirus or anti-malware software to help detect and prevent malicious software.

The above list is not exhaustive, and it is necessary to change your mindset when using this kind of technology and develop a healthy level of suspicion. As with all types of fraudulent activity, QR code fraud is evolving; therefore, staying informed and being cautious to protect yourself and your personal information is essential.

Here are some scenarios and consequences:

• Restaurant bill payments
  • A scammer adds a QR code sticker over the original on a restaurant menu
  • The customer scans the code and visits a fake restaurant website
  • The customer pays the restaurant bill to a fraudster
  • The restaurant may challenge the customer when they get up to leave, or it may involve authorities at a later date

• Fake event tickets
  • Fraudsters use a fake website to sell tickets to a popular event and deliver the tickets with QR codes to unsuspecting victims.
  • The ticket website and the tickets look convincing and official
  • The customer is unaware of any problems until they are unable to gain entry to the event

• Restaurant orders with upfront payments
  • A scammer covertly swaps official menus with a reproduction containing a different QR code that directs the customer to a convincing website copy.
  • The customer places an order for food and makes a payment
  • The food never arrives
  • The customer complains and provides evidence of payment
  • The restaurant apologises and delivers the food, and suffers a loss in reputation through negative word of mouth

• Parking tickets
  • A scammer places a QR code sticker over the top of the original code
  • An unsuspecting  driver scans the QR code to buy their parking ticket
  • Scanning the code directs the driver through to a fake car park payment website, enters payment details along with the car registration number
  • The site sends a text message confirming receipt of payment and the valid duration of their parking
  • The car parking attendant, traffic warden, or Automatic Number Place Recognition (ANPR) identifies the vehicle as parked without payment
  • The driver receives a fine in the post, and the process to challenge such fines is complex, time-consuming, and, in some cases, more expensive than paying the fine and moving on

• Free parking – a variation on the previous parking ticket example
  • A scammer prints posters and places them in free-parking areas
  • The parking tariff and payment instructions look official and well-presented, but they are fake
  • Drivers park up, pay for parking, and receive a confirmation email or text message
  • The scammer takes the money, and the driver is unaware of what has happened

• Train travel – 20 days for the price of 2 days – this example illustrates where passengers avoid paying their fares, which takes advantage of poor staffing levels on some routes and the absence of ticket gates at many stations. In this example, the traveller needs to commute every day. In this case, the unexpected victim is the train company.
  • For day one, the traveller purchases two return tickets using an official ticket website such as Train Line. The 1^st is an open-return ticket from Station A to Station B, and the 2^nd is an open-return ticket return from Station B to Station A
  • On day one, the traveller uses the outbound portions of both tickets for the outbound and return journey. On this day, it doesn’t matter if there is an unexpected ticket inspection as they are only valid for one day.
  • On day two and subsequent days, the traveller uses the return portion of the 2^nd ticket for their outbound journey and the return portion of the 1^st ticket for their return journey. Both return portions are valid for 30 days.
  • If a ticket inspector scans the QR code, it will no longer be valid for subsequent travel on the journey. The traveller can buy a replacement open return ticket and continue.
  • Accepting the losses is likely cheaper than increasing the workforce and ticket gates for the train operators and stations.

To conclude, you should be careful when using QR codes and exercise the same level of caution, scepticism, and suspicion as when you receive social media messages, text messages, or unsolicited emails containing website links.