Smartphone owners around the world have been warned about scanning QR codes that contain malware.
Bad actors are increasingly using QR codes to scam people out of their money.
Last year, a report from cybersecurity firm TitanHQ found that nearly 84 percent of smartphone users have scanned a QR code at least once, and more than 34 percent scan a QR code once a week.
However, the increased popularity of the technology has led to an increase in QR code phishing.
This term describes fake QR codes that link to malware or a compromised website that can steal your data and money.
“They can access any account you have if they have enough time,” FBI Special Agent Siobhan Johnson warned in 2022.
“You might find this malicious QR code on a menu or on a flyer that someone put out for people to see,” added Johnson.
“And once you use that QR code, you’re taken to a malicious website designed to mirror a real one.”
Such was the case of a 60-year-old woman in Singapore who was robbed of SGD 20,000 ($15,000) from her bank account.
The woman scanned a QR code earlier that day, prompting her to download a third-party app to “fill out a survey.”
A few hours later, she discovered that the app was actually malicious software that had hacked into her Android device and stolen her money from her banking apps, Borneo Bulletin reported.
HOW DO THESE SCAMS WORK?
QR codes work by embedding instructions in a black and white dot-based image.
So when a smartphone camera, app, or QR code scanning device scans the QR code, the scan then translates the data into human-readable information.
In scams, however, the fraudsters add a malicious QR code to a legitimate-looking email or paste it somewhere in the public eye.
HOW TO PROTECT YOURSELF
There are several ways to reduce your risk of QR phishing. Titan HQ recommends knowing your stuff first and foremost.
“Education is key, use behavior-based security awareness training to mitigate the risks,” the company said.
“If you’re concerned about your work information, make sure you include QR code phishing templates in your simulated phishing exercises so that employees understand what these phishing emails look like and the different methods used to steal login credentials and other data.”
Second, you want to use a DNS filter that can break the phishing cycle.
DNS filters do this by preventing users from navigating to a website loaded with malware.
Third, it helps to apply email filters, which use multiple ways to intercept hard-to-detect phishing messages.