Thursday, December 14, 2023

Scam alert: QR codes

 

I note a warning from the FTC that scammers are increasingly using QR codes to mislead and defraud people.


QR codes have become increasingly popular since the COVID-19 pandemic, which proliferated their usage in the form of paperless menus or bills.

But with the convenience and efficiency of the scannable codes comes a threat: they also make patrons easily scammable.

As Check Point cybersecurity experts report a 587% increase in QR phishing, or “quishing,” the Federal Trade Commission also has issued a warning to consumers who may be putting their personal information at risk.

Cybercriminals may cover up legitimate QR codes — also known as “quick response” codes that are traditionally found as a jumble of white and black pixels that direct scanners to a website — with their own that send scanners to phony sites that then steal personal information or install malware.

The bogus codes can be found in public places, like parking meters, or can be sent via texts or emails claiming there was suspicious activity on an account or an issue delivering a package.

“They want you to scan the QR code and open the URL without thinking about it,” the FTC warned in a blog post on Wednesday.


There's more at the link.

It baffles me how many people simply assume that a link to a Web site, or a QR code, or other seemingly innocuous method of contacting someone, is automatically safe and non-threatening.  Any technology, new or old, is subject to abuse.  Criminals are ingenious, and never stop thinking of new ways to steal from us.  (After many years of working with them in prison, I can say with certainty that if most criminals put half the effort into honest work that they do into crime and illegal scheming, they'd be much better off . . . but they'd rather be dishonest.  It's weird.)

Remember the old area code phone scam?  You'd get a message from an unknown number, with an area code you didn't recognize.  You'd return the call, and have to wait a while to be connected to "the person who called you", only to be told that it was a "wrong number" or something like that.  Meanwhile, you'd find out later that the area code was for a foreign country, and you'd been charged an exorbitant rate per minute while you were on hold.  You had to pay the phone bill (after all, you had made the call), and the scammer got a kickback from the phone company.  There's also the "Can you hear me?" scam, where you'd be recorded responding "Yes" to that question, and then the recording would be used to have you seemingly give consent to financial charges at other companies, or releasing confidential information.

QR and bar code scams are merely the latest variants on that sort of technological crime.  Basically, if anything can be misused to scam you, someone's going to try it.  Be on the alert for it.

Peter


7 comments:

Well Seasoned Fool said...

My simple answer? I've never scanned one and likely never will.

Anonymous said...

I use a flipphone, not exactly a smart phone. It has no scan capability. I have always thought that using something I can't read to go places on the interwebs in foolish at best.
When I first saw QR code thingies, I thought, "Where does it go if you put some sharpie marks in the middle of it?"
J

LB said...

I just got the "Can you hear me?" question earlier today. Fortunately, I don't have a smart phone. My flip-phone is not connected to any accounts, and I don't use FB or IG. I'll remember to say "I hear you" instead of "yes" next time.

BillB said...

My ex-wife, when we were married, got scammed about 35 years ago by a long distance provider. The company called, and their first question was, "Would you like lower long distance rates?". Then they went on with their spiel for their service. At the conclusion, they asked her if she would like to switch and she said no. However, they dropped that ending part from their recording. We were switched to a company called "Lower Long Distance Rates". As soon as we found out, we got switched back to the provider we had after explaining about the scam.

Francis Turner said...

QR codes are great at stopping typing errors but you need to not run them directly. Most cameras allow you to copy the decoded URL data rather than just visit the site. Do that. Then paste the URL into something else such as a note app and look at it closely. Ideally post the URL into something where you can view it in a couple of different fonts so you can spot the places where the scammer replaced l with I or 1 (or vice versa) or rn for m, vv for w etc. Also check the location of the /s and .s

https://www.amazon.com.sercure.verifylogin.link/blahblah is not going to amazon.com for example

Once you have looked at the link, if it doesn't display PII such as your name/email address and you are still suspicious then paste it into urlscan.com and see where it goes to. (if it does display PII edit the PII to something generic like bugger@off.com then paste it in).

I strongly recommend urlscan.com but there are other places that allow you to do similar things such as virustotal.com and hybrid-analysis.com (though both of those tend to be better at detecting malware in amail attachments and the like)

What all of these sites do is see where the url actually ends up and it frequently isn't amazon, paypal or you bank. Most of them will tell you that (for example) the domain is hosted in Russia or fronted by cloudflare (and neither amazon, paypal or you bank use either of those)

Hamsterman said...

A local Lego store had a QR made out of black and white Legos. If someone scans it, they get "Rick-rolled".

Aesop said...

Slap "technology" on something, and the suckers line up to scam themselves.

It's like breeding self-shearing sheep.