Beware of too many scans: why should you stay vigilant with QR codes

Safe surfing

How did you end up on this page? Did you scan an unobstrusive QR code (Quick Response Code) that you saw somewhere? In this case, there were no serious consequences for you. Nevertheless, you should think carefully about what you scan with your mobile phone. The following example shows why.

iBarry

Beware of too many scans: why should you stay vigilant with QR codes

How did you end up on this page? Did you scan an unobstrusive QR code (Quick Response Code) that you saw somewhere? In this case, there were no serious consequences for you. Nevertheless, you should think carefully about what you scan with your mobile phone. The following example shows why.

Actually, you just wanted to pop in to the supermarket for some flour. When standing in front of the parking meter you realise that your wallet is still at home on the sofa. No problem, you think, the parking meter has a QR code. The mobile phone is quickly pulled out to scan the bulky code and the parking fee is paid. Even in the supermarket itself, leaving your wallet at home, is no problem at all - thanks to Twint & Co. Pull out your mobile, scan the QR code and pay.

On the way back to the car, you spot a poster of a great band. It has a QR code on it, which is supposed to take you to the ticket shop. Pull out your mobile, scan it ... and regret it. You notice too late that the QR code was just a sticker and didn't actually belong to the poster. Instead of leading you to the ticket shop, the QR code led you to a fraudulent phishing site.

What can go wrong?

QR codes are like Kinder surprise eggs: you never really know what you're going to get. In contrast to conventional phishing attempts, where fake links can often be recognised, the content of a QR code is invisible to the eye.

Since cyber criminals have also discovered the advantages of QR codes for themselves, scanning these codes sometimes does not relate to joy of discovery, creativity and playing games, it is more a nasty surprise. QR codes can lead to a fraudulent website through which cyber criminals want to steal their victims' data. However, a QR code could also contain a download link for a malware programme, login information for dubious Wi-Fi hotspots or an instruction to transmit location data. Unfortunately, there are no limits to the creativity of cyber criminals.

If QR codes are used to deliberately mislead victims, this is referred to as QR phishing, QR code phishing, quishing or QRishing.

In short

Instead of leading to the desired website, a QR code can also ...

How can it affect me?

QR codes have established themselves in our everyday lives. Scanning a code has become routine for many of you - and this is precisely what cyber criminals are exploiting. As soon as something becomes common, people no longer question it. This is the reason why fraudsters send fake invoices with manipulated QR codes, for example. To do this, they also scour email accounts, which have already been hacked, to imitate original invoices and change the IBAN number to their own. In the meantime, cyber criminals have already developed this QR scam further: they create QR codes from special characters (ASCII/Unicode); this can prevent security programmes from recognising the QR codes as such.

However, the danger lurks not only in the digital mailbox, but also in the real world. Fake and manipulated QR codes have already appeared on parking meters, ATMs, petrol stations, shop windows and in restaurants, even in Switzerland. It is not a challenge for a fraudster to print out a fake QR code and stick it over an existing one - or to add a QR code was not there before.

How can you protect yourself from QR risks?

You don't have to buy expensive IT security products to protect yourself from potential risks behind QR codes. Instead, constant vigilance is required:

Further information