Named using an abbreviation that stands for “quick response,” QR codes originated in the 1990s in Japan’s automotive industry, where they were used to aid in the management of vehicle production. And since then, the pixelated squares that nearly instantly lead users of smartphones, tablets, and other camera-equipped smart devices to sources of desired information and data have seemingly popped up everywhere. As most modern consumers have likely observed, these codes can be found on everyday items ranging from business cards and real estate listings to TV commercials, social media posts and product labels.
But consumers are not the only ones who have noticed the prevalence of QR codes in today’s digitally driven society. Cybercriminals have picked up on their popularity, too, and are exploiting the convenience they offer to trick unsuspecting users into giving up personal information such as banking and credit card data.
To protect themselves from becoming victimized by malicious QR codes, consumers can employ the following eight expert-recommended tactics to help keep their personal information out of the hands of QR code scammers:
- Employ the same skepticism used when surfing the web: When considering a QR code for scanning, as well as when the code’s online destination is reached, it is wise for consumers to utilize the same Cybersecurity 101 tactics that they regularly practice online. Just as security-conscious users are hesitant to click on suspicious hyperlinks or download dubious attachments, they should practice similar caution with QR codes, especially in cases in which the origin of the code is unknown. This is because, much like phishing emails, QR codes can direct users to suspect websites and sites that have been designed to appear legitimate but are fraudulent. Often, these sites can be vehicles for malware downloads or attempts to garner financial information or personal details such as login credentials.
- Be especially wary of QR codes found in public places: Before scanning a QR code found when out and about, consumers should carefully examine the code for any signs of tampering, such as the placement of a sticker over the original QR code. If a code does not appear to be a fit with its background, device users should refrain from scanning it. Further, users should not scan QR codes from unfamiliar websites, posters, flyers, or magazines unless they are certain that the code’s destination is legitimate.
- Double-check the URL: Once a QR code has been scanned and has directed a device to a website, the user should carefully review the website’s URL. If the web address does not appear to be a match for the organization the verbiage accompanying the QR code claims to be directing the user to, the user should refrain from providing any personal information. The user should also refrain from downloading any files or applications from the site. It is also wise to check the URL for any odd structuring and for slight misspellings of the name of the organization the QR code materials claim to be directing to as these are common tactics of cybercriminals.
- Stick to the app store: Consumers should avoid downloading applications via the link provided by a QR code. Instead, a safer route is to search for and download desired applications directly from a device operating system’s app store. Further, most of today’s phones have QR code scanners built into their cameras, so most users do not need to download a QR code-scanning app.
- Step up device security: Just as on laptops and desktops, mobile devices should have reputable security applications installed and running on them to protect against malware and viruses that malicious QR codes (and other potentially risky sources) can deliver. Further, users can consider adding extra protection that checks for malicious or otherwise harmful content, such as Bitdefender Mobile Security (available for Android and iOS) or Norton Mobile Security (also available for Android and iOS).
- Consider using a password manager: As is the case with many phishing attempts, fraudulent QR codes often direct traffic to fake websites that attempt to impersonate the real thing and collect users’ login data. In many cases, a password manager can detect a look-alike website when a user might not, and the application will in turn prevent sensitive username and password information from being autofilled into the empty fields on the fake site.
- Do not pay bills using a QR code: When consumers receive an email or text that provides a QR code for bill payment, it is a good idea to call the company or organization requesting the payment directly (using a phone number retrieved from an official or trusted website) to verify the request before sending any funds or submitting any financial details. Another security-boosting tactic that can lower risks when this happens is to go directly to the requesting organization’s official URL to log in and submit payment rather than following the link in the QR code as there is a chance the link could be fraudulent.
- Beware of texted and emailed QR codes: In addition, following QR codes that appear to have been texted or emailed from friends can present risks as there is always a chance that the friend’s account has been hacked. As discussed just above, it is wise to verify any such requests, especially before sending any funds or financial information, by contacting the friend directly using a known number to confirm that the friend sent the request.
Need a new smartphone with all the latest leading-edge features, including the ability to quickly scan and read QR codes? FTC offers the latest iPhones, as well as a range of other smartphones, including top-of-the-line Samsung models. Visit ftc.net today to explore our latest money-saving promotions and score a new device that helps keep you connected and stretch your budget.