Are QR codes safe to scan? The answer is neither yes nor no, but more like a maybe. While most QR codes are safe to use, it's important to be aware of the risks of fraudulent QR codes. Quishing, or QR phishing, is a cybersecurity threat where attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. Scammers will place these fake QR codes in many places, including emails, text messages, social media, public places, parking meters, printed flyers, or physical objects. Depending on the QR code scanner app you use, if you do not check/inspect the URL in the QR code, you may end up visiting the website represented in the QR code without realizing it. At this point, it is too late to do anything if that URL is indeed malicious. Scammers take advantage of the fact that QR codes are very common, and most people trust them because they are usually from reputable places like restaurants or ad posters. This is another example of convenience over security that gets people in trouble.
So how do you protect yourself? The only way to protect yourself is by inspecting the URL and making sure it is a legitimate site before you open it. That is the only thing you can do, but unfortunately, that not a foolproof method because an attacker can deceive the user by creating a short URL that leads to a malicious destination using popular URL shorteners like bit.ly or even linkedin.com, most people trust. To illustrate this, scan the QR-Code below with your device and see where it takes you.
Once you scan/navigate to the intended URL, note the browser address bar. I wrote a blog about dangers of URL shorteners (https://blog.selvansoft.com/2023/03/shorturlscams.html) few years back, which provides more details on URL shorteners. There is also a tool that can validate a URL before you actually visit the destination. Feel free to check out.
In summary, the only way to protect yourself from Quishing attacks is to avoid scanning QR codes and see if there is an alternate method to accomplish what you intended to do.
Related Links:
- https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information
- https://www.bbb.org/article/news-releases/27342-bbb-scam-alert-fraudulent-qr-codes-continue-to-be-used-in-a-variety-of-scams
- https://www.usatoday.com/story/money/2024/09/19/fake-qr-code-scam-parking/75294446007/
- https://selvansoft.com/longurl/
- https://blog.selvansoft.com/2023/03/shorturlscams.html
