Car owners in San Francisco recently found phony parking tickets placed under windshield wiper blades, highlighting the lurking dangers posed by QR codes.
The phony tickets informed car owners that the $60 fine could be paid by scanning a QR code. The destination was a cloned version of the San Francisco Municipal Transportation Agency’s website set up to collect payments that went straight to the scammer.
The term QR stands for “Quick Response.” You’ve no doubt seen these square, black and white codes at stores for many years, but their use ramped up during Covid. The code is read by a smartphone’s camera, and translated into a link to a website. No more typing. The technology is well suited to fast, incautious behavior since it is usually used for consumer items.
While cloned websites are not new, and neither are QR codes–scams that implement both technologies are relatively new. The push for Covid-era zero-contact services made QR codes more common, since they emerged as the no fuss way to display restaurant menus and proof of vaccination. QR code usage quadrupled in 2022 alone.
QR scams work precisely because we’re more accustomed to scanning codes in public areas since the Covid shutdown. Airlines, doctor’s offices, city government agencies, restaurants, workplaces and even zoos transmit often useful data using these codes. Why not use it to pay a parking ticket?
Adding to the potential for scams is the fact that the intended destination of a QR code is no discernable–it takes you wherever it takes you. So, a code that offers a coupon for a discounted product may link to a site that automatically installs malware on your device. While some smartphones provide previews of a code, this may be circumvented with a link shortener, which abbreviates website addresses, as well as, of course, a clone site.
Most QR codes work as advertised, but the ease of placing one in a public area while concealing the linked destination means potential trouble, and caution is an important addition to any cyber situation that includes these codes. .
Takeaways:
- Avoid scanning QR codes when you can navigate manually. Your digital flight ticket is most likely safe. A sticker in the bathroom of a restaurant or on a ticket on your windshield may not be.
- If your phone supports QR code previews, check and double-check the destination URL. If it leads to a URL shortener (t.co, bit.ly, etc.), navigate directly just to be on the safe side.
- Don’t provide payment or sensitive information to websites or apps installed via QR code.
