Know the safety pointers for scanning QR codes

QR codes seem to be everywhere these days, having gained traction during the pandemic as businesses were looking for additional ways to offer consumers touchless transactions.

But while they’ve grown in popularity, cybercriminals can tamper with them to redirect victims to malicious sites that steal login and financial information, according to a recent FBI warning.

"Cybercriminals always flock to exploit the latest trends, so they’ve spent more and more time looking for ways to exploit the use of QR codes as adoption of the technology has grown," said Anna Chung, principal researcher at Unit 42, the global security consulting and threat intelligence group at Palo Alto Networks.

They look to QR codes to steal personal data, install malicious files on mobile devices and even use phones to steal by compromising payment tools and cryptocurrency apps, she said.

If you’re unfamiliar with QR codes — the acronym stands for quick response — it’s a square bar code you scan with a smartphone camera, and it can provide direct access to a website, prompt the download of an application, and even direct payment to an intended recipient, according to the FBI.

Look where it's taking you

Often, QR code users immediately follow the link that pops up without reviewing the URLs they’re being directed to, Chung said.

And with that comes risks.

Common tactics used by cybercriminals include prompts to scan this QR code for "free WiFi," which can lead to such problems as tricking users into installing malware on their devices; "QRishing," which involves directing smartphone users to a phishing site after they scan a malicious QR code; and luring victims to scan a QR code to download a malicious application, she said.

And while these are legitimate threats, it doesn’t mean consumers and businesses should avoid QR codes completely, said Steve Morgan, founder of Northport-based Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine.

"Don't let the bad guys win and take QR codes away from us," he said.

Instead, businesses and consumers need to train themselves on "what QR codes are, how they can be used and know the vulnerabilities," he said.

"Computers get hacked every day, and this has been going on since the '70s — but do we throw our computers away?", Morgan said. "QR codes are a reality that are here to stay so we have to safely deal with them."

Spotting risks

The QR code is becoming more prevalent. They are being used to access menus, for banking and financial transactions, even for social media logins.

The QR code on a local restaurant’s menu doesn't pose a big risk, said Adam Schwam, president of Farmingdale-based Sandwire Corp., a managed IT services company. But patrons should look at the menu placard to make sure a sticker hasn’t been placed over a legitimate QR code, he said.

The greater peril comes from QR codes from unfamiliar sources like random mailings or subway posters and stickers on walls that say: scan this QR code and click on this link for more information, Schwam said.

As a best practice, don’t scan QR codes from an untrusted source. If you’re uncertain, he said, type in the URL that the QR code brings up when you scan it to make sure it takes you to a legitimate site.

Also avoid using third-party QR code-reading apps that aren’t vetted, but rather use the native QR code app on your smartphone, Schwam said.

For businesses, make sure you’re working with a reputable QR code provider, said Jamie Erhardt, group account director at EGC Group, a Melville-based marketing and digital services firm. Also randomly test your business' QR codes.

Why they're useful

She said that, at the height of COVID, retailers used the codes to give customers more information, such as safety protocols. "It minimizes friction and takes consumers to where they want to go by just pointing their phone at it," she said.

Stores are still using them for conveniences like directing customers how to leave reviews online, Erhardt said.

QR codes are not the main source of breaches, said Armando D’Accordo, president of CMIT Solutions of South Nassau, a Merrick-based information technology and security services provider.

"Malicious websites and phishing emails are still the biggest threats," he sees, but QR codes are a source of concern, especially if hackers gain access to your smartphone with your contact list and credit card information.

He offers tips on hedging risk at tinyurl.com/2p8hbyd3. A major safety take-away is "know the source before you click."

"Scanning a QR code is no different than clicking a random link in an email from an unknown site," D’Accordo said.