According to cybersecurity company ESET, QR code scams are becoming increasingly common.
Known as “quishing,” the scam involves redirecting a QR code’s intended link to a fake website designed to request payment details, with the aim of tricking users into entering their credit card information.
While these scams were almost unheard of a year ago, ESET said they now account for around one in ten reported scams.
“People might receive an email that has a QR code in it, or they might be seeing it out in the world somewhere, and they’re taking their mobile phones, they’re scanning that QR code, clicking on the link that it refers to, but it’s actually not going to the legitimate website and sending them through to somewhere that has been created by the scammer,” New Zealand manager Scott Leman said, explaining how QR codes carry higher risk because they bypass traditional IT security controls.
“That’s then asking them to either log in to their Google account or their Microsoft account or perhaps enter some credit card details to make a payment.”
“And that’s where they’re then losing their login details and credentials or losing their credit card information.”
He advised people to be cautious of emails from unknown senders and to ensure their devices have up-to-date antivirus protection installed.
“It could be an email that’s pretending to be from New Zealand Post, for example, and saying, ‘Hey, you have a package that’s on hold from Customs – scan this QR code to make payment to get it released, and please do it as quickly as possible to prevent any delays.’
“You then get your phone out, you scan that link, it goes through to a bad website, and then you then lose your credit card details.”
Leman said QR codes are becoming more effective because they have become far more mainstream, appearing in places such as parking meters and even churches for donations. As a result, they are increasingly embedded in everyday life and culture.
He said malicious QR codes could also install malware on a user’s device.
“One of the bigger risks as well is not necessarily even putting in your credit card information, but if it then prompts you to log into your Google account, your Gmail account [or] Microsoft 365 login and password field, and then you then go and put in your business’ Microsoft credentials into that.”
“And that’s where hackers or bad actors can then go in and potentially breach a business using those credentials.”