QR Code Scams and COVID-19: What you need to know

Feb 26, 2021 by Webmaster

Want to learn about all the essential features of a QR code?

Click here

The QR code is back. With COVID-19, Australians are now greeted with the familiar square graphic of a QR code at the entrances of most businesses and venues to help contact tracing efforts.

But where you have an online service, cyberthreats are never far behind. Scammers are sharpening their tools for QR codes and the Australian Cyber Security Centre (ACSC) has warned that we’re already starting to see new scams, and some old scams in new places.

Quick Definition: QR, or “Quick Response”, codes are two-dimensional computer-generated images made up of black modules in a square pattern on a white background. Encoded within this can be any kind of text-based data, including URLs.

How big is the threat?

The Australian Competition and Consumer Commission’s (ACCC) ScamWatch recorded 28 scams directly linked to QR codes between January and September 2020 with losses totalling more than $100,000.

McAfee listed QR code abuse as a top five threat in a recent 2021 predictions report, saying:
"The MobileIron report found that whereas 69 percent of respondents believe they can distinguish a malicious URL based on its familiar text-based format, only 37 percent believe they can distinguish a malicious QR code using its unique dot pattern format. Given that QR codes are designed precisely to hide the text of the URL, users find it difficult to identify and even suspect malicious QR codes.
"A quarter of respondents admit scanning a QR code that did something unexpected (such as take them to a suspicious website), and 16 percent admitted that they were unsure if a QR code actually did what it was intended to do."

GS1 QR Codes

How does QR scamming work?

It comes down to the website that the QR code directs consumers to. According to the ACSC, scanning a QR code which directs consumers to a non-government website requesting their name, phone number and email address, could result in their personal information being used for marketing or, worse, criminal purposes.

The problem is it is quick and easy for criminals to generate QR codes, swap the real one for the fake one, and direct consumers to a harmful website that will install fake “tracking” apps that include malware.
This is compounded by the fact that people are needing to input their details several times a day. Avast security expert Luis Corrons told Technology Decisions that “Australians have become complacent around scanning QR codes and providing their details to any website to enter premises, and scammers are taking opportunity of this.”


Scanning QR Code
Real QR Codes

There are three common QR code scams:

  1. Clickjacking - The easiest QR code scam, clickjacking is where people get paid to lure others into clicking on a certain link. This is most commonly found in tourist destinations where people expect to scan a code to get interesting information about the landmark, but the scam QR code takes them to a dodgy site and the clickjacking rep gets paid.
  2. Small advance payment scam – For some services, you expect to make an advance payment before use it, such as to rent a shared bike. To go through the payment process, you simply scan the QR code on the bike. But the real QR codes can be replaced by scammers who receive the payments.
  3. Phishing – Phishing links can be disguised as QR codes easily. Phishers place QR codes where it makes sense for the user, such as for COVID-19 check-ins or menus on restaurant tables.


What can businesses do to stop scammers?

For contact tracing, the best thing you can do is to use the apps developed by government and instruct visitors to download the government tracking apps directly from government websites. Place the government-provided QR code in a prominent position within your business so that customers know to use the government-provided app to scan it. This helps avoid customers using their camera app to scan a QR code placed in your business by someone other than your employees. If there are no government-provided check-in apps for your region, you might want to generate a QR code to direct customers to a website. Avoid using services that obscure the website address, and always test the QR code before providing it to your customers to check if you are directed to the right website. Another good tip is to provide a screenshot and description of the website, so customers know what to expect. Finally, place the QR code in a prominent position and check regularly that it hasn’t been replaced with a malicious QR code. If you’re using QR codes in other parts of your business, such as on packaging for promotions, there is less risk of scams. But we still recommend you take care to use a system such as Matthews iDSnet to generate, manage and authenticate the codes. Follow our essential checklist here.