QR (Quick Response) codes are everywhere these days. Things like QR codes make many things easier and faster - not just the consumer, but for the cyber crook as well. It’s simple: Easier for you – easier for them.

Walk into many restaurants and the menu is accessible on your phone by capturing the code on a sign when you enter. Check to make sure it’s not a fake code on a sticker covering the real code, because that’s one avenue crooks are taking – distract the host/hostess while an accomplice plasters the malicious code onto the sign.

There’s even a QR code on a “Be More Like Betty” mural commemorating animal protection advocate Betty White which encourages dog rescue donations. Just grab the code with your phone and it takes you to the donation website.

Now Cyber criminals are cashing in with phony QR codes that take you to websites they copied that steal your information OR lockup your phone – or even your work computer and network with Ransomware.

Every consumer should be careful about randomly capturing codes offering great deals – especially if they appear on the phone unsolicited. It is just that kind of advertising that enables the big ‘free’ social media companies to make tens of billions of dollars per year. There are so many ads bouncing onto a consumer’s screen that it’s difficult to spot the scams.

Google offers a QR code sign-in as an extra layer of security. You must be signed into your Google account on at least one device already. Even though Google has reasonably decent Cybersecurity measures, ANY website can be spoofed (copied) and provide the user with a malicious QR code.

Consumers and their smart phones are relatively easy marks for criminals. Mobile security provider MobileIron surveyed over 2,100 end-users across the US and UK and found results that were far from comforting. Mobile users as a rule do not understand QR codes or their potential risks – 71% of those surveyed said they could not tell the difference between a malicious or a legitimate QR code. Half -51% of respondents had no idea what kind of Cybersecurity they had on their mobile devices – or even if they had any at all.

By and large, these crooks targeting consumers are small-time, and they typically don’t have IT services at their disposal – crooks usually just bite them for a couple hundred bucks. The big-time criminals go after bigger money – from businesses – This is where real IT support needs to stand guard.

The FBI published warnings and advice on how to avoid these scams:
“Here’s how to protect yourself:

~ Do not scan a randomly found QR code.
~ Be suspicious if, after scanning a QR code, the site asks for a password or login info.
~ Do not scan QR codes received in emails unless you know they are legitimate. Call the sender to
~ Some scammers are physically pasting bogus codes over legitimate ones. If it looks as though a code
has been tampered with at your local bar or restaurant, don’t use it. Same thing with legitimate ads
you pick up or get in the mail.”

Cyber criminals are also perfecting the ability to infect business networks, and they are already doing it – both through phishing emails containing QR codes and through phones connected to a business network.

Phone to Network

It used to be that only field personnel had to have their smart phones connected to the office network. With the dramatic rise in the remote workforce, employees who work from home are connected on several different devices: desktops/laptops, phones, and tablets. The smart phone used to scan a code is a direct bridge to the office network.

This, and the growing threat of fake QR codes were the subjects of a recent zoom symposium between IT Support LA and a number of reputable members of the IT Support Los Angeles Community. Remote devices, especially phones, have long been the weakest link in Cybersecurity defenses.

This falls under the area of Security Awareness Training. Just as we at IT Support LA teach our clients how to spot standard phishing emails and send them immediately to our IT HelpDesk, we have included the scanning of QR codes. Cybersecurity is not just the concern of IT Support – the end users must be on board and vigilant.

Once the crooks are in your phone – and your phone is connected to the network – they are in your network, and your in-house IT support or outsourced Managed IT Services provider is scrambling to contain the malware and negate the effects.

Frequently Asked Questions

Q: Can QR codes have viruses?

A: The code itself cannot contain - viruses it contains information but does not have the capacity to store an executable file that is necessary for the release of a virus. The job of a phony QR code is that once scanned, it takes you to a malicious website where the infection can occur.

Q: What is QR code and how does it work?

A: In simple terms, QR code operates in a similar vein as the UPC code on items scanned at a store checkout counter, although much more sophisticated. The QR code does not just give pricing and product information, it can take you directly to a website. If it’s a phishing website, no other action is generally needed – your phone is usually infected as soon as the web page opens.

Q: How can you tell a fake QR code?

A:  The #1 way is to make sure the URL address matches the service you are seeking. Hold the camera over the code, but just hover - DON’T SCAN IT! The URL attached to the code will appear. If it doesn’t, it’s probably a scam – don’t scan – better safe than sorry.

Q: Can you manipulate a QR code?

A: These codes are static and cannot be edited, updated or tracked (unless the creator imbeds a way to track). Manipulation is useless. It’s best to create an entirely new QR code.

How Secure is Your Network?

IT Support LA offers a FREE, no-risk network and security assessment to all companies in the Greater Los Angeles area with a minimum of 10 computers and 1 server. No strings, no obligation.

Just fill out the form on this page or call us at: