Beware of QR-Code Scams

By Chapin Mower on March 31, 2022

Of all the Super Bowl commercials that aired this past February, there was one that captured my attention from the start.  If you recall, the only way to know which company was behind the commercial, involved pulling out a phone and using the phone’s camera to scan the QR-code that was bouncing around the screen for 30 seconds.  QR-codes are, in essence, a direct link to a website or an application for your phone.  And until I read this article from the Wall Street Journal last week, I never hesitated to scan any and all QR-code’s – mostly based out of pure curiosity.  But now?  Let’s just say I prefer using traditional menus to pulling out my phone to scan a code. 

By now, most of you are probably aware of the term “Phishing.”  For those that don’t know, phishing is a type of social engineering attack that is used by hackers to steal user data, including login credentials and credit card numbers.  Historically, the most common form of phishing has been via email.  A hacker will send you an email posing as someone else (maybe a friend, family member or a business inquiry) with the goal of tricking you into clicking the link provided in the email.    Now, QR-codes can be, and are being used as a tool by hackers to trick people into scanning their code and visiting a corrupted link. 

“When they’re malicious, QR-code scams are essentially a new form of phishing attack, where scammers direct victims to a bogus website, and proceed to ask for personal information.  Most smart phones ‘just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is,’ says Justin Fier, director of cybersecurity and analytics at cybersecurity firm Darktrace.”[1]

For example, back in December, hackers placed QR-code stickers on parking meters in major Texas cities, directing drivers to a fraudulent website where they supposedly could pay for parking.  From this, many people were tricked into entering in their credit-card information and unknowingly becoming victims of fraudulent charges and stolen information.  In addition to stealing credit card information, hackers may also install malware to gain access to victims’ devices in perpetuity. 

Now, the good news is that these kinds of attacks are more advanced, harder to pull off, and create a lot more work for hackers rather than your standard email/text phishing attack. And there are ways to protect yourself from a QR-code scam.  For starters, when in doubt, go old school.  Meaning, enter in the website address manually if/when a QR-code seems fishy or untrustworthy.  Legitimate QR-codes are not stickers that someone just added onto to something (like a parking meter).  If you happen to scan a QR-code, check the domain that pops up on most smartphone before proceeding.  In the example of the parking meter in Texas – the domain should have been a municipal website and anything other than that should have raised a red flag. 

Lastly, if you do fall for a phishing or QR-code trap, do not panic nor beat yourself up.  First, take a deep breath.  Use this as a good opportunity to update your password, notify your bank and our team, and monitor your credit card charges.  Remember, we’re only one phone call or one email away from assuring you that the assets you trust us with are safe.  That’s HMA!

[1] https://www.wsj.com/articles/beware-of-qr-code-scams-11647625020