Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you

Can QR codes put you at risk of scams?

Ever since COVID, the QR code has returned, as we use it to check in at locations around the country. But is the QR code an approach for scams?

It seems like there’s an endless amount of ways for cybercriminals to get under your skin, and use all sorts of approaches to snag your details, using them against you.

There’s the barage of phone text messages purporting to be from a brand you trust, the rather large amount of emails that tell you to click here to do that, there’s the odd phone call from someone pretending to be from the NBN, and there’s even the phone call that hangs up before you get there.

It’s all a bit dizzying, so what next?

The next opportunity for scams might just be something you least expect, and something that we all use when we go out.

The coronavirus revived the QR code

Ever since the coronavirus forced us all to check in to the locations we go, we’ve been seeing the revival of the QR code.

You know what it is, and if you’ve gone anywhere in the past few months, you’ve likely had to take out your phone to scan one in, having that QR code trigger your web browser to take you somewhere.

That square jumble of black pixels and shapes, a QR code is a mixture of shapes that’s basically a picture equivalent of a barcode. Like how a barcode’s lines refer to a sequence of numbers, a QR code’s shapes and placement refers to a link, often a website address, so when it’s scanned, a device that reads the code will go where the QR code is pointing to.

They can be used for legitimate reasons, such as paying a bill or setting up WiFi, or even setting up a feature on a gadget like a camera.

Most of the uses we have these days are for using them to send us to locations legitimately there for a positive use, and typically those locations are innocuous. QR codes for venue check-in systems launch a link to take you to a login that allows you to do that, to log your entry somewhere. In Australia, if that QR code is connected to a government login, it will launch the website or the app connected with the government (if you have it installed), which in turn can help contact tracers in our crazy COVID-affected world. Thanks, coronavirus.

But because a QR code is basically an image shortcut for a link, it means scammers can take advantage of the technology, too, and that’s not a great thing.

Most businesses will likely do the right thing

Much like how you shouldn’t click on every email you get, you probably should only scan the QR codes that you need to, such as the ones you’re using to register an entry to a business, and the good news is most businesses will do the right thing.

However, it’s also impossible to tell the difference from a real QR code and a fake one simply by looking at it, and that could spell trouble if a business does the wrong thing.

“The very nature of QR codes makes it impossible for the naked eye to determine which codes are real or fake,” said Aaron Bugal, Global Solutions Engineer at Sophos.

Bugal told Pickr that technically all QR codes are real, because they’re all just a link to a location. However, you typically know what you’re using a QR code for, such as logging in so you can mark yourself down being at a location, and so you should think about why you’re using a QR code when you need to. Checking in is a valid use, but in Australia, where cashless payments aren’t usually triggered by QR code but rather one of the other contactless payment technologies on your phone, you need to be aware of what you’re using the QR code to do.

“This is where people must think about and question the information the premises is asking them to hand over,” he said. “If you’re using a QR code to check-in to a medical centre, does it need your credit card details? Not even a restaurant where you will have to pay will need these details from you via QR code.”

Businesses need to watch their QR codes, too

It’s not just about what regular people scan in from their phone cameras, but what the business posts from their window. While most businesses will likely do the right thing, if they don’t watch their QR codes, it’s possible a scammer could intervene, attaching a new QR code over their own to make it seem legit.

“There’s already a handful of cases where front door, street facing codes have been overlaid with codes that direct users to phishing sites,” Bugal told Pickr, who added that businesses need to make sure their QR codes remain the way they’re supposed to be, directing them to what they’re there for: checking in.

“If you’re a proprietor required to show a QR code for registration and contact tracing, ensure that your codes provided are legitimate,” he said. “Be wary of where they’re displayed to the public and remain tamper-free.”

How to know whether a QR code is taking you to a legitimate check in system

Unfortunately, by the time you’ve scanned something in, there’s a risk that you’re already going to a scam site, forcing you to pay attention to those telltale signs early, such as the website address seen at the top of the page.

However Australians checking into potential QR code scams may be able to win this fight using the government apps often being used for checking in. Depending on the state you’re in, your check-in may use the government app to assist with contact tracing, and if it does, it should launch that upon scanning. In NSW where Sydney is, it’s the Service NSW app, but depending on where you are, that may change to what ever is local for you.

“To counteract the malicious use of QR codes, I recommend people make use of their state’s official check-in smartphone app – if available – to sign into venues,” said Bugal.

If you’re concerned and won’t be using that app, another option is to use a security-based QR code scanner, with many released by the regular security software brands. These work in much the same way as your phone’s default QR code scanner, which is typically built into your phone’s camera app, but instead checks the address first for known security risks so you don’t find yourself walking into a trap.

That’s the last thing anyone would want these days, and you shouldn’t be penalised for doing the right thing.

Read next