Crack the Code on QR Code Hacking

QR codes continue to pop up everywhere as we move deeper into 2024 and look ahead to 2025. They’re on restaurant menus, business cards, product labels, event tickets—even on the sides of buses. The appeal is clear: just open your camera, scan, and you’re instantly connected to something useful. Insider Intelligence estimates that U.S. smartphone users scanning QR codes will rise to 99.5 million by 2025 an increase from 83.4 million in 2022. (Source: Insider Intelligence) But with growth comes risk. As QR codes become common, cybercriminals see new ways to exploit them.

Why QR Codes Are a Target

A QR code is a digital shortcut. Scanning it might open a website, reveal a coupon, or help process a payment. This convenience makes it a perfect lure for bad actors. Instead of tricking you with a suspicious link in text, attackers hide their malicious sites behind a neat black-and-white code.

What is Qishing?

Qishing is like phishing but uses QR codes. Criminals send emails or text messages that look legit—maybe it’s a note from your bank, a popular streaming service like Netflix, or a workplace tool like DocuSign prompting you to scan a QR code to “fix” a problem. Once scanned, you land on a fake site designed to steal your credentials or personal info. Email filters often miss these attacks because the harmful link sits inside the QR code image, not in the email text. (Source: Trustwave SpiderLabs)

Real-World Examples of QR Code Scams

1. Parking Meter Scams: In early 2023, Austin, Texas, saw scammers place fake QR code stickers on public parking meters. Drivers who scanned these fake codes ended up entering their credit card details on a phony payment site. This simple trick led to stolen financial data. (Source: City of Austin News Release)
   
   
2. Event Tickets and Check-Ins: In late 2023, security researchers reported that fake QR codes were being added to printed event tickets. When scanned, they didn’t show event details but redirected victims to pages prompting for personal info. Some international conferences even saw counterfeit badges with embedded QR codes that tricked attendees into logging into fraudulent “conference portals.”
   
   
3. Streaming Service Impersonations: Attackers have also targeted customers of well-known streaming platforms. In mid-2024, fake emails claimed that the user’s streaming subscription had lapsed. To restore access, the recipient needed to scan a QR code and “re-verify” their payment details. Scanning led to a phishing page that collected credit card numbers and passwords.
   
   
4. Restaurant Menus & Fake Surveys: With more restaurants going digital, some criminals replace a restaurant’s real QR code menu with a malicious one. Customers expecting to see a dinner menu instead reach a malicious site prompting them to download an “updated menu app.” Installing this malware-laden app could give attackers access to personal data on the device. In one reported case in New York, customers who fell for the scam had their information stolen and later used for fraudulent transactions. (Source: FBI Public Service Announcements)
   
   

Hidden Malware and Privacy Threats

QR codes can also lead you to download malware that records keystrokes or steals saved logins. Some criminals even track your location by logging where and when you scan a code, building a profile of your habits over time.

Staying Safe in 2024 and 2025

The National Cybersecurity Center (NCC) encourages everyone to practice solid “cyber hygiene.” These basic steps help ensure that even if you encounter a malicious QR code, the fallout will be limited. (Source: NCC)

How to Protect Yourself:

1. Verify the URL Before Scanning:
   Take a moment to confirm the source. If a physical QR code looks like a sticker slapped over another, it might be fake.
   
   
2. Be Cautious with Login or Payment Requests:
   Don’t trust a QR code that directly asks for personal or financial details. Instead, go to the official company website or contact their customer service.
   
   
3. Double-Check at Events and Restaurants:
   For events, verify that the QR code you’re scanning matches what’s officially published by event organizers. In restaurants, if something seems off, ask a staff member to confirm which code is real.
   
   
4. Stick to Official App Stores:
   Don’t download apps via QR codes. Use your device’s official app store, where apps go through security checks.
   
   
5. Contact the Sender:
   If a friend or colleague sends you a QR code, confirm through a known communication channel that they actually sent it.
   
   
6. Report Fraud:
   If you suspect you’ve been scammed, report it to your local FBI field office or submit a complaint to the FBI Internet Crime Complaint Center at IC3.gov.
   
   
   

Wrapping Up

As we embrace the convenience of QR codes, we must also remain vigilant. In 2024 and heading into 2025, these little squares will become even more integrated into daily life. By staying alert, verifying sources, and taking a moment to think before you scan, you can enjoy the benefits of QR codes without falling victim to qishing or other malicious activities.

Editor's Note: This blog was updated on 12/10/2024.

References:

• Insider Intelligence
• Trustwave SpiderLabs Blog
• City of Austin News Release on QR Code Scam
• FBI Field Offices
• FBI IC3
• National Cybersecurity Center (NCC)