Take care with QR codes
As we head into the holiday season, watch out for scams that use quick-response (QR) codes to steal from you.
Whether you are scanning that QR (quick response) code to pay for parking, or to look up holiday deals in the mail, take a moment to check where it’s taking you.
According to the National Cyber Security Centre (NCSC), QR codes that seem harmless could actually be part of a scam.
What is quishing?
Quishing or QR-based phishing is where scammers capture your information by tricking you into scanning a malicious quick response (QR) code. The code takes you to a fraudulent website that can steal your sensitive information such as login details and credit card numbers.
QR codes are becoming increasingly popular with businesses and their customers. This means it’s easy to hide a malicious code in plain sight. We have received reports of scammers putting up boards with malicious QR codes around car parks or even sticking a fake QR code on top of an actual one. They can also print fake codes on a flyer and drop it in your mail. Or you could get an online message about a prize or a pending delivery that asks you to scan a code.
What are the risks?
When you scan a malicious QR code, it will ask you to download an app or take you to a website that will ask for your information such as your email address, password or even your credit card details. While you may think you are setting up an account or making a one-off payment, the web form is actually storing all the details you enter. Once a scammer has this information, they can carry out identity theft or gain access to your emails, social or banking accounts.
Watch out for quishing
Always be cautious when scanning QR codes to make a payment, to place an order, or to download an app.
Scan QR codes only in trusted environments, such as restaurants and shops, but only after you check what you are scanning. This might seem obvious, but make sure the QR code hasn’t been tampered with, like with a sticker. If you aren’t sure, ask a staff member.
If you have the option of manually searching for an app, you can do that instead of scanning.
Check the URL of the website the QR code is taking you to. When you point your phone camera at the QR code, you can see a clickable link hovering over code. If the URL does not match the name of the business or the app that you are trying to access, it could be a fake one.
If the link showing up over the QR code is a shortened URL, be cautious and avoid clicking on the link. Scammers often use link shorteners to hide the web address the QR code is taking you to.
If the link takes you to App Store or Google Play and prompts you to download an app, read the reviews before you download the app.