It seems like everywhere you look these days there are QR (Quick Response) codes, and they are often quite handy, making many things easier and faster - not just for the consumer, but for the cyber crook as well. Take care that you don’t scan for a scam.
More and more restaurants have signs when you enter that offer a QR code to scan the menu into your phone. Check to make sure it’s not a fake code on a sticker covering the real code, because that’s one avenue crooks are taking – one distracts the host/hostess while an accomplice plasters the malicious code onto the sign.
You can scan these codes on your computer and on your TV screen. There’s even a QR code on a “Be More Like Betty” mural commemorating the late Betty White, a well-known animal protection advocate, which encourages dog rescue donations. Just grab the code with your phone and it takes you to the donation website.
Cyber criminals are cashing in with phony QR codes that take you to websites that look legitimate but are ‘spoofed’ copies that are ready to steal your information or lock up your phone – or even your work computer and network with Ransomware.
You need to be careful about randomly capturing codes offering great deals – especially when they appear on your phone unsolicited. It is just that kind of advertising that enables the big ‘free’ social media companies to make tens of billions of dollars per year. There are so many ads bouncing onto a consumer’s screen that it’s difficult to spot the scams.
Google offers a QR code sign-in as an extra layer of security. You must already be signed into your Google account on at least one other device. Even though Google has reasonably decent Cybersecurity measures, ANY website can be spoofed (copied) and provide the user with a malicious QR code.
Smart phones are relatively easy marks for cybercriminals. Mobile security provider MobileIron surveyed over 2,100 end-users across the US and UK and found results that were far from comforting. Mobile users as a rule do not understand QR codes or their potential risks – 71% of those surveyed said they could not tell the difference between a malicious or a legitimate QR code. Half -51% of respondents had no idea what kind of security they had on their mobile devices – or if they had any at all.
By and large, these crooks targeting consumers (who typically don’t have IT services at their disposal) are small-time– crooks usually just bite them for a couple hundred bucks. The big-time criminals go after bigger money – from businesses.
The FBI published warnings and advice on how to avoid these scams:
“Here’s how to protect yourself:
~ Do not scan a randomly found QR code.
~ Be suspicious if, after scanning a QR code, the site asks for a password or login info.
~ Do not scan QR codes received in emails unless you know they are legitimate. Call the sender to
confirm.
~ Some scammers are physically pasting bogus codes over legitimate ones. If it looks as though a code
has been tampered with at your local bar or restaurant, don’t use it. Same thing with legitimate ads
you pick up or get in the mail.”
Fake QR code scams are not limited to smart phones: Cyber criminals are also perfecting the ability to infect business networks, and they are already doing it – both through phishing emails containing QR codes and through phones connected to a business network.
Can malware go from phone to computer?
Absolutely – and vice versa. If you charge your phone using a USB cable and computer port, if either device is infected, it will infect the other.
Remember when only field personnel had to have their smart phones connected to the office network? With the dramatic rise in the remote workforce, employees who work from home are connected on several different devices: desktops/laptops, phones, and tablets. The smart phone used to scan a code is a direct bridge to the office network.
Remote devices, especially phones, have long been the weakest link in network security defenses.
This should be addressed in Security Awareness Training. Just as we at ITFIRM.com teach our clients how to spot standard phishing emails and send them immediately to our Help Desk, we have included the scanning of QR codes. Cybersecurity is not just the concern of your IT team – the end users must be on board and vigilant.
Once the crooks are in your phone – and your phone is connected to the network – they are in your network, and your in-house IT department or outsourced Managed IT Services provider is scrambling to contain the malware and negate the effects.
Frequently Asked Questions
What is QR code and how does it work?
QR codes operate in a similar vein as the UPC code on items scanned at a store checkout counter, although much more sophisticated. The QR code does not just give pricing and product information, it can take you directly to a website. If it’s a phishing website, no other action is generally needed – your phone is usually infected as soon as the web page opens.
Can QR codes have viruses?
The code itself cannot contain viruses because it does not have the capacity to store an executable file, which is necessary for the release of a virus. The job of a phony QR code is that once scanned, it takes you to a malicious website where the infection can occur.
How can you tell a fake QR code?
Make sure the URL address matches the service you are seeking. The #1 way to verify this is to hold the camera over the code, but just hover - DON’T SCAN IT! The URL attached to the code will appear. If it doesn’t appear, or is different than expected, it’s probably a scam – don’t scan – better safe than sorry.
Can you manipulate a QR code?
No. QR codes are static and cannot be edited, updated, or tracked (unless the creator imbeds a way to track). Manipulation is useless. It’s best to create an entirely new QR code.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and security assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation ever to use our IT services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
We have the experience to ensure a seamless transition. Your employees will arrive at the new location to find their IT infrastructure ready and open for business! For more information, or to receive your FREE no-risk network and security assessment, just fill out the form on this page or call us at:
704-565-9705
