The Weekly Breach Breakdown Podcast by ITRC - QR Code Red - S5E2

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 12, 2024.Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we discuss the evolution of Quick Response (QR) Codes and give you the latest on the increase in fake QR codes and scams around this technology.

If you have ever heard a “Code Red,” it typically means something significant is happening that requires urgent attention. In a hospital, it could indicate fire or smoke. There are also CodeRED alert systems for severe thunderstorms, tornados or other natural disasters. There was even a computer worm called Code Red that attacked computers running Microsoft web servers in 2001. Also, who can forget Code Red Mountain Dew? However, that is the one Cod Red that does not require urgent attention.

What are QR Codes?

The Federal Trade Commission (FTC) is issuing its own code red, or warning, about QR codes. Before we get into the warning, let’s give some background on QR codes. They are digital barcodes often used for electronic tickets for travel events, to view a restaurant’s menu or to share product information at a retailer. They are a quick way to get people to websites, promotional codes and mobile payments. QR codes have grown in popularity over the years, with COVID-19 speeding up their use with an increasing number of businesses looking to enact contactless encounters and transactions.

QR Code Security Risks

While QR codes are convenient, they also come with some security risks. A report by endpoint management and security provider Ivanti shows that QR code usage is up. However, 83 percent of those surveyed said they had used a QR code for a financial transaction in the past three months but were unaware of the risks. Only 47 percent knew scanning a QR code could open a URL, and 37 percent knew it could download an application.

FTC Warns of Fake QR Codes and Scams

Like always, identity criminals have caught on, leading to security threats for those who use them. According to the FTC, there are reports of fake QR codes as scammers cover up QR codes on parking meters with their own malicious digital barcodes. Other attackers send QR codes by text message or email with an enticing but fake reason for you to scan it.

How to Protect Yourself from Fake QR Codes and Scams

While criminals have noticed the rise in QR codes and figured out how to exploit them with fake QR codes, you can use them and protect yourself by – being skeptical.

• Only scan QR codes from trusted entities. They are less likely to have a malicious digital barcode on a restaurant menu, plane ticket or promotional code.
• If you see a QR code pasted on top of another, ask an employee about it. The restaurant or retailer may have just updated their QR code. However, it could also be a malicious code.
• Check the website address of the QR code before you scan it. Most phones will show you the web address before you click it. You can also safely view a website by adding a “+” sign after the URL. Look for misspellings in the URL.
• Do not scan a QR code in an email or text you are not expecting. Instead, go back to the source directly to verify the validity of the message.

The more people protect themselves, the harder it will be for identity thieves to succeed in QR code scams with fake QR codes. Everyone will then be able to use the convenient contactless barcodes safely.

Contact the ITRC

If you want to know more about how to protect your business or personal information, fake QR codes or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. In two weeks, we will have an episode of our sister podcast, the Fraudian Slip, breaking down the findings in our 2023 Annual Data Breach Report, which will be released on January 25. We won’t give too much away. Let’s just say the findings will make your head turn. You will be able to download the report by visiting www.idtheftcenter.org/publications. 

We will return next week with another episode of the Weekly Breach Breakdown.