Can someone hack your phone through a QR code? Can a scammer steal your personal and financial information via a QR code?
Can a bad actor encrypt your device until you pay a ransom? Yes, yes, and yes.
A year ago, the FBI raised fears that those possibilities were real and now security and privacy experts are raising the ceiling on those fears even higher. They pose questions about how the general public can protect themselves when they’re scanning QR codes to view confirm package deliveries, add time to a parking meter, or in an advertisement.
“Unfortunately as the popularity of QR codes has increased with the public, its popularity has also increased with scammers who are setting up phony QR codes to lure you to their bogus website where they solicit personal information used for identity theft or persuade you to make a payment with a credit card,” attorney Steven Weisman wrote for Scamicide.
“Or even in some instances, merely by scanning the phony QR code, you will download harmful malware such as ransomware or even malware that will enable the scammer to take over your email account.”
And the possibilities are infinite. When ConsumerAffairs dug into all the ways that QR codes could be clandestinely turned into digital weapons, we found everything from digital business cards, menus, social media links, getting an app, opening a PDF, showing a location, to sending a text message, making a phone call, making payments, getting rewards and discounts and starting a WhatsApp conversation.
How bad can a fake QR code mess up your life?
As Yaniv Masjedi at Aura points out, there’s “technically” no such thing as a “fake” QR code. “The codes themselves aren’t dangerous — it’s how they’re used that can become problematic,” he says.
The real trouble is a rabbit hole that the scammers have built, and once they get a victim inside, there are few ways to burrow out. Here’s everything that could go wrong:
- You could be redirected to a phishing website. With things like Photoshop and website builders in their treasure box, a scammer can easily make you believe that you’ve landed on a real big brand website – one that most people will never detect as fake. Once you’ve taken that bait, they then ask for your sensitive information. “But anything you enter — name, contact information, credit card number — goes to the scammer and can be used to steal your identity,” Masjedi said.
- Your device could be infected by malware. Masjedi continued – “QR codes can also download malicious software onto your device such as malware, ransomware, and trojans. These viruses can spy on you, steal your sensitive information or files (like photos and videos), or even encrypt your device until you pay a ransom.”
- If the scammer is good at their game, a QR code could send an email from your account. On top of designing QR codes to send people to websites, scammers can also program the codes to open payment sites (think PayPal or Venmo), follow social media accounts, and send pre-written emails.
Is there a solution?
The good news is that there are ways people can protect themselves. The bad news is that most of them are very granular and take extra work.
“If the URL does not begin with https, but only begins with http, you know it is a scam.”
“The first step to protecting yourself is to always check the URL of any website the QR code takes you to that requests a payment or personal information,” Weisman said. “If the URL does not begin with https, but only begins with http, you know it is a scam.”
When it comes to updates on orders from places like Amazon or deliveries from UPS or FedEx, Weisman suggests refraining from using the QR code and going directly to your account rather than through the QR code.
“If you receive an unordered package with a QR code to scan for instructions to return it, go directly to your account at a legitimate company, such as Amazon rather than use the QR code. And just like you shouldn’t click on links in social media posts unless you have absolutely confirmed they are legitimate, the same holds true for QR codes in social media. Trust me, you can’t trust anyone.”
If you have a recent smartphone – ones with iOS 13 and above and Android 9 and above – Beaconstac says that those come equipped with advanced QR Code readers. So you really don’t need to download any third-party app.
But if you have an older phone – or simply want to add another level of security – ConsumerAffairs found these two apps as the best-rated possible solutions:
- Kaspersky’s QR Code Reader and Scanner: GooglePlay 4.4*; Apple App Store 4.6*
- QR & Barcode Reader by Gamma Play: GooglePlay 4.5*; Apple App Store 4.3*