Beware of too many scans: why should you stay vigilant with QR codes
Safe surfing
How did you end up on this page? Did you scan an unobstrusive QR code (Quick Response Code) that you saw somewhere? In this case, there were no serious consequences for you. Nevertheless, you should think carefully about what you scan with your mobile phone. The following example shows why.
Beware of too many scans: why should you stay vigilant with QR codes
How did you end up on this page? Did you scan an unobstrusive QR code (Quick Response Code) that you saw somewhere? In this case, there were no serious consequences for you. Nevertheless, you should think carefully about what you scan with your mobile phone. The following example shows why.
Actually, you just wanted to pop in to the supermarket for some flour. When standing in front of the parking meter you realise that your wallet is still at home on the sofa. No problem, you think, the parking meter has a QR code. The mobile phone is quickly pulled out to scan the bulky code and the parking fee is paid. Even in the supermarket itself, leaving your wallet at home, is no problem at all - thanks to Twint & Co. Pull out your mobile, scan the QR code and pay.
On the way back to the car, you spot a poster of a great band. It has a QR code on it, which is supposed to take you to the ticket shop. Pull out your mobile, scan it ... and regret it. You notice too late that the QR code was just a sticker and didn't actually belong to the poster. Instead of leading you to the ticket shop, the QR code led you to a fraudulent phishing site.
What can go wrong?
QR codes are like Kinder surprise eggs: you never really know what you're going to get. In contrast to conventional phishing attempts, where fake links can often be recognised, the content of a QR code is invisible to the eye.
Since cyber criminals have also discovered the advantages of QR codes for themselves, scanning these codes sometimes does not relate to joy of discovery, creativity and playing games, it is more a nasty surprise. QR codes can lead to a fraudulent website through which cyber criminals want to steal their victims' data. However, a QR code could also contain a download link for a malware programme, login information for dubious Wi-Fi hotspots or an instruction to transmit location data. Unfortunately, there are no limits to the creativity of cyber criminals.
If QR codes are used to deliberately mislead victims, this is referred to as QR phishing, QR code phishing, quishing or QRishing.
In short
Instead of leading to the desired website, a QR code can also ...
- direct you to a phishing website,
- contain a download link for a malicious programme,
- transmit login information for dubious WLAN hotspots,
- or send an instruction to transmit position data.
How can it affect me?
QR codes have established themselves in our everyday lives. Scanning a code has become routine for many of you - and this is precisely what cyber criminals are exploiting. As soon as something becomes common, people no longer question it. This is the reason why fraudsters send fake invoices with manipulated QR codes, for example. To do this, they also scour email accounts, which have already been hacked, to imitate original invoices and change the IBAN number to their own. In the meantime, cyber criminals have already developed this QR scam further: they create QR codes from special characters (ASCII/Unicode); this can prevent security programmes from recognising the QR codes as such.
However, the danger lurks not only in the digital mailbox, but also in the real world. Fake and manipulated QR codes have already appeared on parking meters, ATMs, petrol stations, shop windows and in restaurants, even in Switzerland. It is not a challenge for a fraudster to print out a fake QR code and stick it over an existing one - or to add a QR code was not there before.
How can you protect yourself from QR risks?
You don't have to buy expensive IT security products to protect yourself from potential risks behind QR codes. Instead, constant vigilance is required:
- Do I really need to scan this QR code? You cannot be sure what is behind a QR code, so you should think twice about whether you really want to scan it. If it is not clear who the author of the code is, you should not take any unnecessary risks and leave it alone.
- Has the QR code been stuck on or manipulated? Before you scan a code, you should check it. It may just be a sticker, which doesn't belong there. If in doubt, you should refrain from scanning the code.
- Does the QR code call up the desired website? If you still want to scan a QR code, it is advisable to use the standard Android or iPhone camera app. Reputable apps like these first show, which website the code wants to call up or which action it will trigger. So nothing happens until the user checks and confirms the action. Scan, think, click!
- Is the website I have landed on trustworthy? Even if the QR code and the website appear to be trustworthy, you should remain vigilant. More and more dynamic QR codes are appearing, in which a short URL is embedded. This then redirects you to the actual target website. And as scams are becoming increasingly sophisticated, you should remain vigilant even on supposedly trustworthy websites (more on this in the "Further information" section).
Further information
- BACS: QR codes - applications and risks: https://www.ncsc.admin.ch/ncsc/de/home/infos-fuer/infos-private/aktuelle-themen/qr-code-anwendungen-und-risiken.html
- SwissCybersecurity.net: QR codes from ASCII/Unicode blocks: https://www.swisscybersecurity.net/news/2024-10-11/barracuda-identifiziert-neue-qr-phishing-methoden
- SwissCybersecurity.net: Crooks forge QR codes on car park ticket machines: https://www.swisscybersecurity.net/news/2024-07-11/gauner-faelschen-qr-codes-auf-parkautomaten
- E-banking but secure: Quick Response code (QR code): https://www.ebas.ch/quick-response-code-qr-code/
- E-banking but secure: QR-bill: https://www.ebas.ch/qr-rechnung/
- iBarry: How we are deceived in the digital world? https://www.ibarry.ch/de/risiken-im-internet/social-engineering-fake-news/
- SKP: Information on phishing and the legal situation in Switzerland: https://www.skppsc.ch/de/themen/internet/phishing/
- SwissCybersecurity.net: How to recognise phishing? https://www.swisscybersecurity.net/cybersecurity/2022-03-30/wie-sie-phishing-erkennen/0lt0
- SwissCybersecurity.net: How to spot fake online shops? https://www.swisscybersecurity.net/news/2023-08-09/wie-man-fake-onlineshops-erkennt/0lt0