MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1451520
past year that most people have been conditioned to scan them without a second thought. Predictably, this situation is now being exploited by bad actors all over the world. QR code phishing is on the rise. What is it? Basically, it’s quite similar to other kinds of phishing. It’s a social engineering attack that tries to steal sensitive data, login details, or credit card information. But while “traditional” phishing relies on emailed links to get victims to a phishing website, QR code phishing does the same thing via, you guessed it, QR codes! QR Phishing in Practice There are tons of variations on QR code scams, limited only by the scammers’ ingenuity. Here are some examples of how the bad guys have used QR phishing to scam people: In China, scammers put fake parking tickets on cars with QR codes for “paying” the tickets. Unfortunately, the QR codes actually routed payments to an account controlled by the scammers. In the Netherlands, ING Bank customers fell victim to a QR scam that made use of a legitimate feature of the bank’s mobile banking app. Scammers looked for ING customers who were selling things online, asked for their account numbers in order to send them a wire transfer, and then sent them a QR code so that they could “confirm the payment”. But if they scanned the QR code, their bank accounts would be linked up to the ING banking app installed on the scammers’ device! In Germany, folks have been getting emails from scammers pretending to be banks. The scammers tell people that they need to confirm a privacy policy or read through some new security procedures. The emails include a QR code that supposedly takes you to the web page where you can do this. But if you scan it, you’re taken instead to a phishing site that asks for your username and PIN. In Texas, criminals have started putting malicious QR codes on city parking meters. Police in Houston, San Antonio, and Austin say that they’ve all found stickers with the fake QR codes. The stickers attempt to fool drivers into believing that they’re paying for parking online. But in reality, the QR codes link to a phishing website that steals credit card details. How to Avoid QR Code Scams In today’s world, it’s not feasible to just never scan a QR code again. So what can you do to avoid QR scams? Here are six practical suggestions: 1. Slow down Before you scan a QR code, take a second to think about what’s really going on. Do you know who put that QR code there? Have you ever seen a QR code used this way before? If something seems strange, trust your instinct and don’t scan that code! 2.Think link It’s helpful to think of QR codes as links (and most of the time, that’s what they are!). Before scanning one, ask yourself the following question: If this was a link that had come in an email, would I trust it? 3. Inspect URLs In iOS, your Camera app will show you a link preview when you point your iPhone at a QR code. Take a second to inspect the link before opening it. If the link doesn’t match the organization that the QR code says it comes from, or if it looks suspicious, then don’t go to that website! 4. Look for tampering Bad guys sometimes put stickers with their own QR codes over top of legitimate QR codes. If you’re in a place that regularly uses QR codes (e.g. a restaurant), watch for signs of physical tampering that might indicate a malicious QR code. 5. Make a “never list” Keep a mental list of situations in which you’d never trust a QR code. We’d suggest avoiding all QR codes that take you to sites asking for highly sensitive personal or financial data (especially anything to do with banking or credit cards). It’s also wise to avoid QR codes mailed to you in junk mail or randomly stuck on the side of a building: In these cases, you just can’t know who put the QR codes there. 6. Turn on 2FA We’ve said it many times before, but two-factor authentication is one of the very best ways to keep your accounts secure. If you have 2FA enabled, then a phishing attack that succeeds in stealing your credentials still won’t result in an account compromise. We’d recommend turning on 2FA whenever possible.