Watch out for malicious QR codes! This kind of scam is increasing

You’ve almost certainly used QR codes before—it’s when you point your phone’s camera at a square barcode to access a menu, a form, or even an app, and then tap on the link that appears. But while most QR codes are often innocuous (especially compared to their early wild days), their low-tech and humble vibe make them perfect tools for bad actors.

A recent example surfaced in the news just last week, with Malwarebytes publishing a blog post about a targeted QR code attack on WhatsApp accounts. Broken QR codes served as bait for victims, who were lured into clicking a link and following instructions that granted access to a new device. That hacker-owned device then gained the ability to read and potentially download full message histories.

While sophisticated, this particular campaign highlights how a QR code will serve as a gateway to a malicious website. More commonly, the attack is direct—as when I wrote about a phishing scheme back in December, which tried to steal login info for Microsoft accounts. Scanning the QR code led to a phishing webpage.

BleepingComputer

What’s most dangerous about QR codes is that they can pop up in a number of environments, some of which you might not associate with shady behavior. It’s not limited to the online world, either—you’re just as likely to encounter a bad QR code while out running errands. For example:

• Physical ads: Think flyers and bills posted in public. They claim to be about a service, charity, business, etc, but instead send you to a phony site or force your device to download malware.
• Text communication: If your friends, family, or associates get hacked, you could be sent a phishing QR code to squeeze personal info out of you.
• Email: Similarly, you could get spoofed emails from people you know or stores you shop at, asking you to confirm personal information. The reasons can vary widely.
• Physical mail: Your mail could include fake ads and notices with malicious QR codes. Packages aren’t exempt, either—a new scam is to send unsolicited items to people, then include a phishing QR code with them to snag your details (possibly even your financial info).

One particularly sneaky appearance of bad QR codes is as additions to legitimate physical flyers and ads posted in public, or on things like parking meters. A would-be scammer will stick or paste a replacement QR code over the proper barcode, which then sends unsuspecting folks to a phony site. You could lose not just your personal info, but your credit card or other financial details, too.

QR code scanning apps can be trouble as well. Nowadays, you don’t need a third-party app—the camera app on both Android and iOS phones will handle QR codes perfectly fine. But these third-party options still exist, and someone could download one not realizing the risk of grabbing malware that will spy on your activity and steal data.

Marielle Ursua / Unsplash

To protect yourself from the QR code scams, be discerning about which codes you scan. Also verify the link is appropriate for the situation, and if you click on it, whether it asks for information that would be relevant. Use alternate methods to access the info or make a payment should anything feel off.

You can also activate other defensive measures into your accounts like passkeys—this form of login is resistant to phishing. If passkeys aren’t available, two-factor authentication at least adds a second checkpoint that a hacker must pass to gain access. However, 2FA can be thwarted by hackers, so passkeys are the stronger move. (Need to keep your passwords, 2FA tokens, and passkeys secure? A password manager can safely store them for you.)

Another layer of protection can be antivirus suites (including Microsoft Defender, which is included with Microsoft 365 subscriptions). They generally offer mobile protection that includes anti-phishing measures. It’s not fail-proof though, which is why a layered approach to security is still the best way to go.

Basically, since QR codes can be found almost everywhere, so too can scams trying to trick the unsuspecting. But if you’ve already got security measures in place, sidestepping the headache takes just a little forethought.