October is Cybersecurity Awareness Month. All month long, ITS News will highlight how ITS — and you — keep the University safe. In this guest post, Drew Trumbull with the Information Security Office, shares how malicious actors are using QR codes for scams and phishing campaigns. Check out all Cybersecurity Awareness Month events, or for year-round tips on staying cybersafe, visit Safe Computing at UNC.
Over the past few years, QR codes have been adopted by a number of businesses and services as a way to easily share a website containing relevant information. For example, a growing number of restaurants have QR codes that lead to their menus and even allow patrons to order items and pay all from their smartphone. Other services, such as parking garages, can utilize this technology to push people to a payment website without them having to visit a kiosk or wait in a line at a toll station.
Malicious actors exploit convenience
Unfortunately, as with all convenient technological advances, malicious actors have begun to exploit people’s general trust in QR codes to perpetrate scams and phishing campaigns. In a scam a few months ago in Atlanta, fraudsters placed fake QR codes over real ones that were posted in a parking garage. When people scanned the fake code, they were sent to a website that took payment information, enabling the bad actors to gather personal and financial information.
Other scammers have used QR codes in phishing campaigns, replacing clickable links in the email body with QR codes. When recipients use another device to follow the QR code, the activity is moved to that device. That puts activity outside of many protection mechanisms that organizations and email providers have implemented to help prevent phishing and scam attempts from being successful.
About the author
Drew Trumbull has been doing odd jobs in IT at UNC since 2007, starting at the ITS Service Desk as a student. He currently acts as the team lead for Security Operations and Incident Response in the Information Security Office.
When not fighting cyber attacks, Trumbull can be found traveling the world or walking from wood line to wood line on the golf course searching for his ball.
Tips for using QR codes safely
Here are some tips for dealing with QR codes out in the world or from unverified sources, such as unknown phone numbers or email addresses:
- Before you scan a QR code on a poster or sign, run your finger over the QR box if you can. If it feels like a sticker, do not use the code.
- Do not give permissions for anything after scanning a QR code (such as to the camera, location, microphone or accessibility functions of your phone).
- Don’t download apps or files if prompted.
When a QR code seems suspicious, don’t scan it. If you’ve scanned the code and it raises red flags like asking for permissions, don’t continue. If there are any signs of concern, visit the business directly or use your browser to search for more information.