How Hacks Happen
Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by cyber security teacher and digital forensics specialist Michele Bousquet.
How Hacks Happen
Are QR Codes Scammy?
QR codes are a super convenient way to access a website or app from your phone without having to type anything in. And while some scammers use QR codes to try and steal your personal information and money, most QR codes are just fine. Learn how to spot a scammy QR code so you can use them safely, and confidently enjoy all the conveniences they offer.
Resources:
- Thieves are using fake QR codes on parking meters to scam drivers. Here's how to protect yourself
- FBI issues new warning about QR code scams
- Alerts issued over a rise in QR code scams, known as ‘quishing’
- 'I fell victim to clever scam when trying to park'
- Redondo Beach warns drivers of parking meter scam involving fake QR codes
- How to spot a fake QR code scam
- A brief history of QR codes
- What Is a Drive-by Download Malware Attack?
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
Join our Patreon to listen ad-free!
TRANSCRIPT: Are QR Codes Scammy?
Michele: Did you make all of these? They’re beautiful.
Katie: Oh, thank you! See anything you’d like to take home?
Michele: How much for this one?
Katie: Oh, that's a nice choice. It’s $120.
Me: Do you take credit cards?
Katie: No, but you can Venmo me. Here, just scan this QR code. That’ll take you right to it.
Me: Uh, I don’t know. QR codes can be kind of sketch, right?
Katie: It just goes right to my Venmo…
Me: How do I know that?
Katie: Um, because I made the QR code myself? For my own Venmo?
Me: Oh. Um, never mind. I’ll just go find an ATM.
Katie: I can just tell you my Venmo… Right. Bye. Hi, welcome to the Art Market. See anything you like?
We’ve all seen QR codes, those square barcodey kind of pictures that you can scan with your phone, and a little button shows up under the picture, that takes you to a website or an app or to some other online location. You’ve maybe also probably heard that you should beware of QR codes, because they can steal your personal information and even your money.
But that’s not really accurate. QR codes don’t exactly jump out from a dark alley and grab all your info without your consent. They’re actually pretty cool, and you can use them safely, if you know how they work.
In this episode of How Hacks Happen, we’ll look at QR codes: what they are, why they’re actually a really cool idea, and how scammers sometimes try to use fake QR codes to steal your money or personal information. And also, how to spot these fake codes, so you can QR safely.
You’ve probably heard the sound bites on the news.
“This morning, a warning: scammers now using QR codes to steal your personal information and money.”
“...can use QR codes to steal important personal information…”
“...official says, be careful what you scan.”
This kind of reporting can make us afraid of all QR codes, which isn’t right. QR codes are super useful, and we shouldn’t be dissing all of them just because of a few bad apples.
The truth is, QR codes, in and of themselves, are just fine. And they’re super convenient, which is why so many people and businesses use them–-to show you their menu, or a movie trailer, or just to send you to their website. Another common use for QR codes is in parking lots or on parking meters, where you can pay for your parking space online with a credit card. These are all perfectly valid uses for QR codes, the kind of things it was made for, ones that make our lives easier.
To understand how scammers can use QR codes for evil purposes, let’s take a closer look at what a QR code is, and what it isn’t. And why it’s not so bad, until, well…it is.
The QR in QR code stands for Quick Response. It has its roots in the barcode. A barcode has a bunch of vertical bars, and each one represents a single digit or a letter. You could consider the barcode to be a one-dimensional code, whereas a QR code is a two-dimensional barcode, with little squares, black and white squares, instead of bars. And the pattern is different for every QR code, and each one relates to an online destination of some kind, like a website or an app.
You can generate a QR code for any online destination, and you can do it for free at any number of websites. Just open your browser and search for “generate free qr code” and you’ll get loads of websites where you can make one. All you need is an online destination of some kind. So you could, for example, make one that just sends people to your website, where you list your company’s services, and there’s a number there to call to get a quote or book a service. Simple as that.
Another example is for payment. I’ve seen QR codes at art markets and flea markets, where the seller has a QR code taped to their table. You open the camera app on your phone, hold it in front of the QR code, tap the button, and it sends you right to the seller’s Venmo or Paypal or some other method of payment. This works out great for everyone–you don’t have to whip out your credit card or carry around cash in case you see this awesome velvet painting of penguins playing poker and you just have to have it! You just use that QR code to go right there and pay them. And the seller can also see on their end right away that you have paid. Win-win.
I’ve even done this myself. I was at a conference once where I was selling my book, The Art and Math of Cryptography. Some people didn’t want to buy the book right then and there and carry it around with them, so I had a QR code where they could go to Amazon and order it, and that worked out great. Everybody was happy with this arrangement, especially me.
I’ve even seen QR codes where someone used it to send me their digital business card, or to their email, or to their LinkedIn or their Facebook account so we can connect up, instead of handing me a paper business card, which I’d probably lose in a week. And it eliminates all this time-consuming typing, which can be awkward and maybe inaccurate. Instead of trying to type out someone’s name on LinkedIn or Facebook to find them, and maybe you spell it wrong, or maybe it’s a common name and you get the wrong person, with a QR code you know you’re going right to that person’s profile and you can connect with them. Works out great.
Now if you do go and get yourself a QR code, you can print it out, you can put it on your business card, you can post it on the internet, you can make stickers for it, you can make a big sign for your business’s window. I’ve seen them on movie posters, party invitations, signs in storefront windows, on the sides of trucks… anytime there’s an online destination to be visited, you can replace that URL with a QR code, a handy-dandy QR code.
So where did this idea come from?
QR codes aren’t really that new. They were conceived in 1994, when a Japanese automotive company called Denso Wave wanted to find a way to speed up their production line for their products. The problem they had was, they were using barcodes to track production information, but a single barcode couldn’t hold enough data. So they had to apply multiple barcodes to each product to capture all its information, and scanning all these barcodes sometimes slowed down production, like if the part flipped over and they couldn’t read it, they had to flip it back over. It was a pain.
One of Denso Wave’s employees, Masahiro Hara, was one of the people concerned about this problem, and one day he was playing the game “Go” one day when he got this idea. Maybe you’ve never played Go, but it’s actually a really cool game of strategy where players take turns putting black and white stones or disks on a grid to try and surround areas of the grid. And every game ends up with a different pattern of black and white stones. See where I’m going with this?
When playing Go, Hara saw this pattern of black and white circles, and got the idea of using a grid of black and white squares to hold all the information of several barcodes, a two-dimensional barcode. Great idea! Hara and his Denso Wave team, they then went on to develop the Quick Response Code, or QR code.
In 1994, Denso Wave made QR code technology freely available to the public, but I’m pretty sure they had no idea of how QR codes would boom in the years to come, especially after cellphones started to include cameras.
In 2002, the first phones with built-in QR scanners showed up. Eventually, anybody with a smartphone had a QR scanner, right there in their camera app.
The first time I remember using a QR code on my phone was around 2009, when I was at this restaurant with some friends. The restaurant was really busy, and we were waiting for the server to come over and bring us menus. But then we saw that they had a QR code at the table, so we could scan it and go and look at the menu. By the time the server came over, we had all picked out what we wanted to eat. It made things go quicker. It was great.
But it was still kind of a novelty, you didn’t see it that often back then. Then, the COVID-19 pandemic hit. In 2020, QR codes were suddenly everywhere. It was a great solution for social distancing because you could share information or grab information without having to go near another person. More and more restaurants, for example, started to use QR codes to send you to the menu, so you could order food without touching a physical menu that might have other people’s germs on it.
Another common use for it was to have a QR code that you could use to pay for your parking. This was a great solution for you to not have to go and touch the machine that you would pay for your parking in. Also, the city didn’t have to maintain the machines. It was a win-win. Great idea for that.
And now, in 2024, QR codes are here to stay. Instead of spelling out your Venmo for a customer, you show them the QR code! Instead of posting the overly long URL for your website on your business card or in your store window or whatever, you just have a QR code.
The problem is…where technology goes, scammers are never far behind. Scammers found a very convenient way to hijack QR codes for their own benefit.
A scam from a fake QR code actually has its own name: it’s quishing. It’s like phishing, with a Q. Because it’s sort of like phishing emails, but it’s done with QR codes. The idea with a phishing email is to get you to click a link and enter some information, and that’s what a fake QR code does, so it’s quishing. (I don’t make up this name, so don’t blame me. I just tell you what they are.)
The process of running a quishing scam is actually pretty straightforward–there’s not a lot of advanced technology involved at all. The scammer just makes their own QR code and they print it out, and the QR code they make goes to a custom website that they’ve set up just for the scam. Then they put this fake QR code somewhere, and try to pass it off as a legitimate one, with a supposedly legitimate reason why you would scan the QR code and enter some information.
The classic one is a sticker with a fake QR code, slapped on a parking meter or in a parking garage on the wall, a place that might legitimately use QR codes for payment. Lots of parking services already use QR codes now, so that’s not unexpected, right? So you, a good citizen just trying to pay for your parking, ends up going to this scam website instead of paying the actual fee.
This way, the scammer gets to charge your credit card with a bogus charge, and they might even get you to put in your name or address or credit card details that they can sell to other scammers. On top of that, you might get a parking ticket, since you didn’t actually pay for your parking. It’s super annoying.
Another flavor of this scam involves a package being delivered to your house, something you never ordered, and don’t want. It’s usually something of very little value like a pen, or a dishrag, or a plastic spoon or something. I’m not kidding, people have actually received just a plastic spoon. Or sometimes, the box is empty. So you, being a good person, you’re like, “Oh, this must have gone to the wrong place,” or “Somebody must be looking for their package.” So you check the return address to try and figure out what happened. The return address isn’t recognizable or you can’t find it through a browser search, but inside the box is a printed message that says something like, “To find out who sent this to you, scan this QR code.” So if you want to find out who sent you a plastic spoon as a special gift --who sends that as a gift?--you scan the QR code. It might ask you for personal information, maybe even just your address. Then the scammer knows that that actually is your address, and that can be valuable to them. It might even ask for a fee, something like $1, something small. That, of course, is an attempt to get your credit card information.
You might also get an email with a QR code, which is almost always a scam. I mean, a QR code is just a link, so why wouldn’t they just put the link in the email? If you have good spam detection on your email, you maybe haven’t seen this one. And since a QR code is interpreted as a picture by your email service, it will only show to you if you choose to download pictures in your email.
There are other flavors of QR code scams, and I’m sure scammers are busy coming up with new ones even as you're listening to this, but those are the main ones that we know about.
Now, for quishing to work, several things have to be in place. Let’s break that down.
First, fake QR codes work only if they’re anonymous. By “anonymous” I mean there’s no identifiable person or company associated with it. There’s nobody standing there. Like, a bunch of parking meters, or in the case of the package with the QR code message, there’s no return address. If it’s a scam, there’s no identifiable person or company to pin the blame on.
By contrast, that artist at the Art Market who showed you her QR code for payment, that’s going to be a real QR code, because she wants to get paid. She’s been standing there, nobody’s come and slapped a sticker over her QR code, and she’d notice pretty quick if they did, because she checks every payment while you’re standing there.
Same with a QR code on the side of a truck, advertising a business like landscaping or construction. The owner of the business wants you to go to their website and check out their services, and maybe request a quote and hire them. So they’re going to have a real QR code. The QR code is directly associated with the owner of the truck–there is a person or entity involved. The same goes for menus in restaurants, or a business card that someone just handed you. The person’s right there, so it’s easy to tell if the QR code took you to where you expected it to, like an online menu or LinkedIn or whatever, wherever it’s supposed to go.
By contrast, scammers who put up fake QR codes, they’re not going to hang around and wait for people to use them. That takes too much time. They just want the quick and dirty slam bam. So they’re going to paste them up all over the city, as many as they can, and then they’re going to get out of there and go home and wait for the information to come in. By the time you find out that it’s fake, they are long gone.
So that’s the first thing: These fake QR codes only happen when there isn’t an individual or company there to vouch for it.
The second thing is, in order for you to get quished, you have to actively participate in the scam. Scanning a QR code just takes you to a website or an app, that doesn’t take any information from you. It doesn’t take your money, it doesn’t take your credit card, it doesn’t do anything. You have to actively type something in, or tap a payment button, or do something, before the website or app can get anything from you.
This is where a lot of the news outlets got it wrong. A website or app can’t steal your personal information from you just from opening it on your phone–it’s only when you type in your information, you voluntarily give it up, or agree to send it, or tap some kind of scammy download button, or take some action, anything. A lot of the news made it sound like just scanning a QR code with your phone’s camera, it immediately sends all your personal information to a scammer, like all your bank accounts, all your credit cards, and that’s just not true. Your information is safe unless you actively give it to the website or app.
Now, please note that what I just said is true for QR codes that you scan on your phone–if you don’t take action after opening the link, nothing bad will happen. But if you open the QR code on your PC, like one you receive in email or something, there is a chance that the website or the destination will download some kind of malware onto your PC even without you doing anything other than visiting the link. So just use your phone when it comes to QR codes, and leave your PC out of it.
So how can you detect a quishing scam, a fake QR code that you really shouldn’t interact with? It’s actually not that hard, it just takes a little awareness.
In the case of a parking meter or parking lot, take a close look at the QR code sticker. Are there actually two stickers, one on top of the other? As anyone who works with stickers knows, it’s really, really hard to line up two stickers perfectly. If there’s a sticker on top of a sticker, chances are, there’s a little corner sticking out somewhere, that gives it away. Or if the sticker on top is bigger than the one underneath, it will be a little bit lumpy, and that will give away the fact that there’s a sticker on top of a sticker.
Another thing is to take a good look at where the QR code sends you. Look at the URL, make sure it matches up with whatever you’re doing or where you are. In one reported case with the parking one, the link sent people to a website called “poyforparking” instead of “payforparking.” This is where being good at spelling is really helpful. You can look at a URL a lot of times and go, “That's not quite right.” Also, if you’re using a QR code to pay for parking, if it asks for your name and address, why does it need that? Usually, the city or the parking lot, they just want to know your license plate number maybe, and your payment method. If it’s asking for weird things or things are spelled wrong, the usual phishing things, it’s probably a scam.
In the case of the artist at the Art Market, the one using a QR code to send customers to her Venmo, the QR code should take you directly to Venmo, and that person’s name should pop up. You can always show it to the person to verify that you’ve got it right, before putting in the payment information, and the artist should say “Yup, that’s me.” If they say “No, it’s not,” it means something weird has been going on. Cuz remember, they want to get paid.
If someone uses a QR code to give you their contact information or LinkedIn account, and they’re standing right in front of you, it’s probably all on the up and up. And you can always use your own judgment to determine whether you’ve gotten to the right place. You can show it to them, you can compare the picture. Do all those things. Use your common sense.
And that’s it! Just by being smart and informed and aware, you can navigate the world of QR codes like a champ, and enjoy all the conveniences they have to offer, without falling victim to scammers.
This is Michele Bousquet from How Hacks Happen, inviting you to go forth and QR responsibly, and avoid getting s-quished under the wheel of s-cammers. Shout out to Katie Haze of Katie Haze Productions for producing this episode, and for providing the lovely voice of the artist at the beginning. See you next time!