Malicious QR Codes

CSE Staff's avatar

CSE Staff

posted on

A person holding a smartphone displaying a QR code.
Man holds smartphone, on screen of which QR code displayed.

If a street vendor or other stranger offers you a QR code to scan for an impulse purchase or donation, be careful. You could be walking right into a trap set by cybercriminals. QR codes can be malicious.

A Quick-Response code (QR code) is a type of two-dimensional matrix barcode.  QR codes can store all kinds of information like text and URLs. It is those QR codes that redirect you to websites that are the most dangerous. They can be used by hackers to commit phishing attacks and steal your sensitive information.

Hackers know how to use software that generates QR codes. When scanned, these QR codes route innocent victims to malicious websites set up by the hackers.  These websites can capture private information, spread malware and steal payment information. Sometimes hackers post their malicious QR codes in public places like on fliers, stickers or even in parking garages to fool people who are attempting to pay the parking fee.

Proceed with caution anytime you use your phone to scan a QR code that links to a website. After the website launches on your phone, carefully inspect the URL, also called the website address. Make sure that website address is valid – it should have a proper name and not be made up of a random string of characters. The website domain should also match the name of the business that is providing the QR code.

A smartphone displaying a payment entry form with fields for credit card number, expiration date, and secure code, alongside a payment button. Next to it is a sign for 'Malibu Parking Co.' showing daily rates and a QR code for payments.
Example showing a malicious website displayed from a QR code. The website URL (web address) does not match the company’s name.

Avoid using websites that end with an unusual domain extension. The domain extension is the string of letters after the last dot in a website address. The Domain extension should always match the website type. Commercial websites should end with .co, .com, or less frequently .net. Avoid websites that use international domain extensions.

Never enter credit card information on a website that lacks encryption. Websites that use encryption will display a small lock next to the website address. The website address should also start with HTTPS. HTTPS means the website is protected with encryption.

If a website requests sensitive details like your online banking credentials, leave the website immediately.

Watch our YouTube video to learn how these scams work.

Discover more from Computer Safety Everyday

Subscribe now to keep reading and get access to the full archive.

Continue reading