Read this before you scan another QR code
October 26, 2023
4 minutes to read
The Nigerian prince who wants to share his fortune with you? Steve Jobs, who emails you from the hereafter to tell you that you have won an iPhone! Yet another UPS parcel that couldn't be delivered?
The likelihood of fooling you with techniques like these have faded over the years. On the other hand, scammers aren't standing still: they are constantly coming up with new tricks to fool you. The wide range of scam techniques has recently seen a new addition: QR code fraud.
What is QR code fraud?
QR codes were designed around 30 years ago by a Japanese company who wanted to track car parts. In recent years in particular, they have found their way into many other applications: viewing menus, opening access gates at the airport, looking up manuals, connecting to Wi-Fi networks, etc. QR codes are now found “everywhere”. Due to the pandemic and the increasing importance of contactless payment, QR codes have also become popular in payment processing. You've probably already noticed QR codes popping up on invoices or payment documents. However, this has also attracted the attention of people with less than honest intentions. Essentially, QR code fraud is the manipulation or faking of a QR code so that it takes you to a different destination than was intended, usually a fraudulent one.
What form do these fake QR codes take?
Fake QR codes work like camouflaged beartraps. They look exactly the same as legitimate QR codes, even including branding elements from trusted organisations. While the differences are barely or not at all noticeable, the consequences can be dire. Some of the most common forms in which fraudulent QR codes may turn up:
• Phishing emails (or letters) where the link in the message is replaced by a QR code, with or without clear instructions on how you should scan the QR code. However, the result is exactly the same as if you had clicked on a link: you are redirected to a suspicious website, where you are then asked to enter data.
• You may be looking for a new table, a ticket, a bicycle, etc. On your social media profile, you will see an advertisement from a site that sells bicycles at a very attractive price. However, you will not see any link to click, just a QR code that you need to scan using your smartphone to gain access. This is how you unwittingly install malware on your smartphone, allowing the fraudster to gain access to your contact list, your Wi-Fi network, and so on.
• You pay at a ticket machine in a car park by scanning the QR code on the machine. What you don't notice is that it has been covered over by a sticker with a fake QR code…
• You are at a cash register or the train station and someone asks you for help because they have left their bank card at home. Of course, they will transfer the money digitally as soon as you scan the QR code on their phone...
What happens when you scan a fraudulent QR code?
In the best case, you are the victim of a bad joke. In the worst case, it can lead to gross financial fraud and identity theft. Some of the threats you may face include:
- Unwanted emails or messages: a QR code can have a user subscribe to an unsolicited service or mailing list.
- Financial fraud: scanning an untrustworthy QR code can lead to financial fraud, where cyber criminals can gain access to your card or account details and use them for fraudulent transactions.
- Malware: if you download a program after scanning the QR code, it may contain malware that can infect your device, leading to data theft, system crashes and other problems.
- Phishing: a QR code can also lead to phishing scams, where cyber criminals collect valuable user information.
- Identity theft: scanning untrustworthy QR codes can also lead to identity theft, where cyber criminals steal your personal data, such as your name, address, social security number, and so on.
How can you protect yourself?
A QR code is basically nothing more than a link, represented as a sort of barcode in the form of black and white squares. A QR code in itself is therefore neither dangerous nor anything to fear. However, it is necessary to treat them with a healthy dose of caution.
- When you scan a QR code, most smartphones will display the web address before opening it. Please check the URL carefully to make sure it is legitimate and not a variation on a well-known website (e.g. gooogle.com instead of google.com). A truncated link (such as bit.ly) in a QR code is particularly suspicious. After all, there is plenty of space for a full web address. Do not click on it until you are certain.
- Take a close look at the QR code itself. If a sticker has been placed over a QR code on an official card or poster, this may be a sign of fraud. Don't be misled by official-looking documents, such as a letter from your bank containing a QR code.
- Refrain from blindly filling in personal information after scanning a QR code. If you are asked for financial or personal details, double-check that the website is legitimate.
- Be extremely careful if you receive a payment request with a QR code. In that case, pay using an official application such as Payconiq.
- Make sure the security software on your device is up to date. This reduces the risk of malware being installed successfully.
- Be careful if someone actively approaches you and asks you to scan a QR code, especially when it relates to financial transactions or sharing personal information.
Scanned a fraudulent QR code by mistake?
Scanning a malicious QR code in itself is usually not the biggest risk; sharing your data or downloading malware is the problem. Did you notice anything suspicious, even if the link seems legitimate? Do not fill in any more fields and abort the interaction now. Do not pass on personal codes or download applications if requested. If you shared a password that you use somewhere else, change it immediately. Forward suspicious messages to firstname.lastname@example.org.
Is it better to just never scan QR codes?
It is wise to be careful when scanning QR codes, but it is not necessary to avoid them altogether. QR codes are a handy and widely used way to quickly access information or make mobile payments, for example. What is important is that you remain aware and critical when scanning QR codes, so you can protect yourself from potential risks.
Victim of fraud?
Did you leave your Keytrade account details on a suspicious website? Have you noticed a suspicious payment? Call us 24/7 on + 32 2 679 90 00.