Sunday, December 22, 2024

Look before you scan – the QR code scammers are phishing for business | John Naughton

Must read

Here’s a familiar scenario. You’re going to a meeting in an unfamiliar part of town. You’re running late and it’s raining. And there isn’t a car park in sight. Ah, but here’s some on-street parking and you gratefully pull into the empty bay. Now all you have to do is pay for a couple of hours and then scuttle along to your meeting. But the parking meter (of course) no longer takes coins. This is the 21st century, after all.

No worries – you can pay by phone. There are notices plastered all over the meter on how to pay using an app that – of course – you have not yet downloaded. The rain is getting heavier and there’s no mobile signal. You’re getting increasingly flustered. And then you spot that there’s a Quick Response (QR) code – a nice (if incomprehensible) square with lots of funny squares and spaces – on one side of the meter. Phew! All you have to do is scan it and you’ll be through to a website in no time. So you do and you are. Job done. Relax.

Er, possibly. Or possibly not. Because you were flustered, you probably didn’t take a close look at the QR code. Was it an integral part of the payment instructions issued by the local council? Or had it been pasted over the official QR code? If it’s the latter, then you’ve been scammed.

Just like David Birch’s sister. Birch is a renowned expert on digital identity and he tells her story on his blog. On a visit to some friends, she parked her car in a public car park. “She went to look at the schedule of charges and there was a handy sign advising drivers with smartphones to pay via a QR code. She scanned the code and was directed to a superficially plausible website. After giving her debit card details to what she thought was a legitimate car parking company, my sister fortunately spotted that the website was wholly fraudulent and was able to alert her bank in time to block transactions. But plenty of other people are getting caught in these scams as QR codes are quickly becoming a favourite tool in the criminal fraternity, with one cybersecurity vendor saying that QR featured in a fifth of phishing campaigns it detected in the first weeks of the final quarter of last year.”

In the past few years, QR codes have become ubiquitous. It’s now nearly impossible to board a plane without having a code on your phone, for example. Likewise, an increasing number of rail passengers have them instead of paper tickets. The imperative to go contactless during Covid really turbocharged the spread of the technology. Want to see the menu in a restaurant? Just scan a QR code.

The codes are essentially two-dimensional barcodes, but have the advantage that they can carry a lot more information than their linear cousins. So they’re genuinely useful. And so, so seductively convenient.

But they’re a security nightmare. Anyone can create one: just go to a free online service such as QR Code Generator, type in the URL you want to have coded and – bingo! – there’s your magic square for reproduction on a business card, company stationery, website, blog, whatever. And of course these creative opportunities are also available to bad actors, particularly scammers looking for a way of directing you to malevolent websites without having to post their dodgy URLs in plain sight.

Cybersecurity people have a term that denotes the target area for online crime: the “attack surface”. The wildfire spread of QR codes means that the global attack surface has been expanded by several orders of magnitude. It’s now, in effect, infinite.

Which probably explains why the US Federal Trade Commission has recently issued a consumer alert about the dangers of the technology. The alert does, naturally, mention the car parking scam, but focused more on those conducted via messaging systems. Examples include emails or texts containing a QR code accompanied by ostensibly plausible reasons why you may need to scan it. They couldn’t deliver your package, perhaps, and you need to contact them to reschedule delivery. Or there’s a problem with your account and you need to confirm your personal information. Or that some suspicious activity has been detected on your bank account, which means that you need to change your password. The key idea is to create a sense of urgency that the hapless victim will feel when they switch on their computer or smartphone first thing in the morning. Thus doth technology make suckers of us all.

What can be done about it? Not much, really, except to try to inculcate in users a healthy scepticism towards the codes. Many smartphones now enable you to preview the URL that is concealed in a particular code before scanning it. There’s plenty of sensible consumer advice on YouTube and elsewhere: think before you scan; never scan QR codes that come in emails or junk snail mail; be wary of shortened URLs (Bitly, TinyURL et al) because they conceal the actual address; never, ever give bank information to online services – and so on. Common sense, basically.

skip past newsletter promotion

Oh, and never forget the late Intel chief executive Andy Grove’s celebrated injunction: in the digital world, only the paranoid survive.

What I’ve been reading

Take a letter
If You’re Z, Here’s What You See is a remarkably perceptive essay about gen Z by Timothy Burke on Substack.

Film theory
Daniel Kipnis’s striking essay Poland’s Zone of Interest discusses Jonathan Glazer’s Oscar-winning movie.

War report
Ukraine on the Ropes is a characteristically insightful report from Kyiv by Timothy Garton Ash on Substack.

Latest article