QR codes and scams


QR or "quick response" codes are those square shaped images that look like a bar code. They're composed of digital black modules and square dots arranged in a square grid on a white background. Make sense?  No? Okay, here's a picture of one:


The QR code system was invented back in 1994 by Toyota to track components during the manufacturing of its vehicles. In the last 10 years or so we've seen them being adopted by businesses as a simple way to track their products and, more importantly for our purposes, direct customers to their websites, streamline online transactions and so on.   

QR codes have been widely adopted in Asia, particularly China, with vendors such as WeChatPay and AliPay introducing technologies that integrate the mobile phone QR code scanning capabilities into online payment systems to drive retail sales. The result is QR codes are often posted on websites, advertisements, restaurants, etc. as a way to enable users to retrieve information and even process a transaction. And that's where the cyber criminals come in.

Cyber criminals are using a variety of techniques to superimpose their own QR code over the one posted by the business. This allows them to redirect the user to a malicious website to capture their credentials, install malware on their smart phone, and so on. Or they generate a generic, somewhat vague poster or advertisement designed to play on your sense of curiosity and include a malicious QR code. 

Is it a problem? One article reports that about $17 milliion CAD has been stolen in China’s Guangdong province, which largely uses QR codes for everyday business. On top of that there are the other criminal activities such as click fraud and credentials theft. So yes, this is a problem and because QR codes are gaining popularity, it's only going to get worse.

How do you protect yourself?  Here area few basic tips:

  • Before scanning a QR code, take a good look at the code for any signs of tampering such as a sticker placed on a printed menu or pamphlet.
  • Look out for pixelated images and logos, as well as spelling mistakes to identify fake codes.
  • Use a secure QR code scanner that can flag malicious websites and show the actual URL before scanning the code.
  • Do not key in any personal information after scanning a QR code.
  • Be wary about scanning a code in public places, like transportation depots, bus stops or city centres, even if it’s on a printed poster.

Bottom line—be extra attentive when scanning QR codes. As more mobile payment platforms are making their way into the mainstream, it is important that users, merchants and organizations using QR codes practice the necessary precautions to ensure that all parties do not lose money or data to similar scams.