QR Codes and You!

QR codes are quick, simple ways to share information (commonly website URLs) in an easy, scannable format. These codes are found in both digital and print media. Unfortunately, the convenience also comes opportunity for abuse. Bad actors will often use QR codes to direct people to fraudulent or other deceptive websites to gather personal information. Here are some examples:

  1. Parking QR Codes: QR codes are commonly placed on parking meters or other payment kiosks, typically on their own. The scanner will be redirected to a payment site that appears realistic because it includes the parking location. However, the site is fake. If you enter your credit card information into the site, the scammer will now have that information!
  2. QR Codes in Phishing E-Mails (Quishing): The same concept applies to “quishing” as it does to most other phishing emails. This variant uses a QR code to send someone’s phone to an illegitimate site asking for personal information. The type of fake site it can direct you to depends on the tone and text of the particular phishing campaign.
  3. Package Scams: This one is less common, but it shows how bad actors are branching out into the non-digital space. With this scam, you receive a physical package (that you never ordered), and it has a QR code on the side accompanied with text such as “Issues? Scan This!” The code takes you to a fake delivery site that collects personal information in your attempts to “return” the package. 

Tips for Avoidance:

  1. URL Preview: After scanning a QR code, most phones (like Apple iOS and Google Android) will allow you to preview the URL before it goes to the site. If the URL looks suspicious, (such as http://fjleige93049.com instead of https://framingham.edu), then you should not proceed loading the URL. Shortened URL addresses (like tinyurl.com) should be treated with skepticism when being sourced from a QR code.
  2. Public QR codes: QR codes in public are often on posters, stickers, or other print media. QR codes may be tampered with, which might look like a sticker placed over something else. The font, size, and other visual clues where the QR code and text does not match the rest of the media are indicators that something is wrong. Only scan QR codes from familiar and trustworthy sources.
  3. When in doubt, ask! If you are unsure that a QR code link is legitimate, then you should contact the vendor who provided it. They should be able to determine if the site you were given is legitimate. Vendors are often happy to answer these questions, as it can help them identify locations within their domain that are compromised by a fraudulent link.