Hidden Scams: The QR Code Security Scam

Cybercriminals are exploiting the growing popularity of QR codes. Its popularity has inspired cyber criminals into using them to tick people and gain access to their login details and personal information. They do this by hacking, scamming, or causing malware infections on their phones and other devices.

What is a QR code?

A QR code, also known as a Quick Response Code, is a type of barcode that stores information in a quick-response format. A smartphone can read the data in a QR code using its camera, making storing and accessing information convenient. To use it, point your smartphone's camera at a QR code, and it will automatically direct you to a website.

In the 1960s, when Japan's economy entered a period of high economic growth, there was an increased demand for various goods. Denso Wave, a Japanese auto manufacturing company, invented the QR code. Initially, QR codes enabled high-speed scanning and tracking of components during the assembly process.

What is QR code Scamming / QR Jacking?

Since the pandemic, QR codes have become a popular way for smartphone users to share contact information, access restaurant menus, and much more. But scammers have found ways that they can socially engineer ‘fake’ QR codes that can be used to manipulate victims into sharing personal information and bank details.

How does the QR code scam work?

Scammers place a ‘fake’ QR code over a real one to trick people into giving away their information. They achieve this by having the ‘fake’ QR code send the user to a malicious URL that will use phishing and social engineering strategies in an attempt to exploit unaware visitors.

For example, a fake QR code can be put on a parking meter or charging point. Unsuspecting victims use the code to access what is presumed to be a genuine website for payment purposes. However, although the website may look authentic, scammers set it up. When victims enter their bank details to make a payment, the scammer quickly extracts this information and steals money from the victim's bank account.

QR code scam: A list of reflective case studies

In this article, we have listed various QR code scams from all over of the world. We hope that from reading these reflective case studies, you will be more cautious about what you scan. We will also be sharing dome great QR code safety tips to hopefully help increase your human firewall.

Bubble milk tea QR code survey scam

A 60-year-old lady from Singapore lost $20,000 to an online scam after visiting a bubble tea shop. The woman was enticed by a sticker on the bubble tea shop's glass door, which encouraged visitors to scan a QR code and fill out a survey for a "free cup of milk tea."

This may not seem like a scam to most people, even tech-savvy people, because loyalty and rewards programs often advertise such offers and use QR codes to promote them. According to Straits Times, When the woman went to bed later that night, her phone lit up with a notification from the bogus "survey" app. The app had extracted $20,000 from her bank account.

After further investigation, she is not the only victim of the QR scam. In April 2023, the police and the Cyber Security Agency of Singapore warned the public about downloading apps from suspicious sites.

Netflix QR code scam

A scam QR code that says, "You have won 2 years subscription to Netflix" was recently discovered. Cyber criminals use QR codes to steal personal and financial information from unsuspecting users or redirect them to malicious content and scam sites.

The cyber criminal uses the logos and other official Netflix brand features to make their scams appear legitimate. In this case, the scammers use the Netflix brand and its logo. It's important to note that Netflix has nothing to do with this scam.

In an attempt to convince people to scan a malicious QR code, scammers are using the offer of a free two-year subscription to Netflix as bait. When a user scans a malicious QR code, they'll be redirected to a malicious URL that checks whether the request is coming from a mobile device, such as a tablet or smartphone. If the validation passed, the website obtains geolocation data for the victim's IP address and then redirects them according to their country. If validation fails, they are redirected to a page which displays an error message.

Parking ticket QR scam

In the U.S. and U.K., scammers have used QR codes to manipulate their victims into paying them money. In San Francisco, fake parking tickets with QR codes on them were found on drivers' windshields; these links led people to fraudulent web pages where they were asked to enter their credit card information.

Martha Gale, who fell victim to a QR code scam, claims she received a large delivery of products she did not order the morning after her daughter parked in downtown Lafayette - US. According to Yahoo News, the woman got a $788 shopping charge after her daughter used a QR code to pay for parking. It appears that the QR code was not actually for the parking lot but a scam.

In Atlanta - US, a motorist recently had money taken from their bank account after trying to pay for parking using a false QR code stuck to the machine. Cyber criminals were caught putting QR codes on parking meters that directed their victims to a fake website to pay fines. In the U.K., local governments have warned residents about parking meters with false QR codes that direct drivers to fake websites and capture their payment details.

Mosque charity box QR scam

In Jakarta-Indonesia, cybercriminals are taking advantage of their victims by "printing and pasting QR codes", which have recently been occurring in charity boxes at several mosques in Jakarta. Around 50 fake QR code stickers were found around the Jakarta Istiqlal mosque. The Deputy Head of the Jakarta Istiqlal Mosque Worship Organization, Abu Hurairah, said: "Some of our officers are suspicious. Why is there an inscription on the restoration of the mosque? There are about 50". The police captured the cybercriminal while he was taking action to lure other victims from The mosques in the Kebayoran Lama, Pancoran, Pondok Indah, and Kalibata areas. Despite the fact that the cybercriminal had been caught, Jakarta police officers warned everyone to always be cautious about what QR code they scan.

Restaurant QR Code Scam

In an unfortunate incident near Pune railway station - India, a 50-year-old woman from Bavdhan fell victim to QR code fraud while attempting to order food from a restaurant. After finding the restaurant's contact number online, she called with the intention of getting the food delivered to her home. The person who answered the call identified himself as a restaurant employee. Subsequently, the suspect sent two QR codes to the woman, instructing her to scan them for making payments towards the food order. Trusting the individual, she complied with the request, only to lose Rs 41,000 in the process.

The incident occurred in October 2022, and the woman lodged a complaint at Samarth police station. The Pimpri Chinchwad cyber cell verified the complaint and later transferred the case to the Hinjewadi police station, where an FIR was registered on Tuesday.

How to spot a fake QR code?

The ongoing pandemic has significantly accelerated the adoption of digital payment methods, particularly those utilising QR codes for contactless transactions. While these advancements have facilitated convenient and safe payment options, there has been a concerning rise in scams and fraudulent activities involving ‘fake’ QR codes. To protect yourself and stay vigilant against such scams, here are some effective ways to identify a fake QR code and exercise caution in your transactions:

1. Always ensure to verify the source of a QR code before scanning it.

The initial and crucial step is to verify the conditions and surroundings when prompted to scan a QR code. Avoid scanning publicly available QR codes, as they are susceptible to modification by fraudsters. When making payments at cafes or restaurants that accept QR codes, ensure to request a secure link or utilise a dedicated banking app for transactions.

2. Check for QR Code Authenticity

To distinguish between a fake and genuine QR Code, it's essential to understand the various types of QR Codes in the digital world. Always avoid scanning tampered QR codes that appear distorted or damaged. If you're interested in delving into QR Code technicalities, refer to this comprehensive guide to learn more and identify these codes.

3. Verify Redirected URL from QR Code

For your digital safety when scanning a QR code, always inspect the redirected URL by previewing the link obtained through scanning. Follow these simple steps to preview the link on an Android device:

Open the camera app and scan the QR code.
If unable to scan through the camera app, install a third-party QR code scanner from Google Play Store.
Carefully examine the obtained link/text.
To authenticate the page, privately search the link without providing any personal details on the page.

On an iPhone, you can use your phone camera to scan the QR code by following this easy guide on how to scan any QR Code.

4. Avoid Scanning QR Codes from Emails

Many QR code scam victims have reported receiving fraudulent codes through personal email accounts. Scammers often use anonymous or temporary email accounts to send these emails with attached QR codes to avoid detection. To ensure your digital safety:

Never scan any QR Code received via email or junk mail.
If a friend or known associate sends you a QR code through email, request a different mode of payment or a dedicated link for enhanced security.

The Key Takeaways

We hope that this article has equipped you with the knowledge and awareness needed to shield yourselves from potential QR code-related scams. Remember, vigilance and caution are your allies in the digital world. By taking the necessary precautions and verifying QR codes' authenticity, you can thwart malicious schemes and protect your personal information.

At Overt Software Solutions, our commitment to cyber security extends beyond this blog post. If you're eager to bolster your online safety further, check out our popular content on "Become a Human Firewall: 12 Non-Technical Security Tips." Arm yourself with practical knowledge to fortify your digital defenses.

Human Firewall, Non technical security tips

Read the full article

To stay up-to-date with our latest insights and cybersecurity resources, we invite you to follow us on social media and subscribe to our newsletter. Stay safe, stay informed, and let's navigate the digital world with confidence!

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
c3po.jpg	Session	This pixel tracker, set by metricool.com, collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heatmaps for the website owner.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook as part of their embedded services on our websites (likes, sharing etc.).
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
ClientId	1 year	No description available.
li_gc	2 years	No description
OIDC	6 months	No description available.
OutlookSession	session	No description available.
tl_1206_1206_4	1 month	No description
tl_544_544_1	1 month	No description