Scanning scam (and other frauds)

QR codes, telecommunication and photo sharing

By Robert E. Holtfreter, Ph.D., CFE, CICA
robert-holtfreter-80x80-new   Taking Back the ID: Identity theft prevention analysis

Tech-savvy Katie Winston always looked for the newest apps. Recently, she had been using her smartphone to scan “Quick Response” or QR codes in magazines, on posters and just about everywhere. One day she checked her bank statement and found a strange unaccountable withdrawal and a zero balance in her account. She was another victim of the QR code click jacking scam. 

The case is fictional but the problem isn’t. The ubiquitous QR codes are becoming a gateway for fraud. 

QR codes (sometimes also called “Quick Read”), which look like matrix barcodes (see image at left), are composed of digital black modules and square dots arranged in a square grid on a white background. You can use the built-in camera and QR code reader in your cellphone or smartphone to scan and decipher the code. 

Denso Wave Inc., a subsidiary of Toyota, invented the QR code system as a scanning device in 1994 to track components during the manufacturing of its automobiles. (See p. 341 of “Handbook of Augmented Reality,” 2011, edited by Borko Furht, Springer.) Businesses throughout the world now use them to identity and track products and direct potential customers to their websites. 

According to an article on the Scambusters website (“5 Ways to Avoid a QR Code Scam”) the codes are “popping up everywhere — not just on labels [and on buses, business cards, on flyers and posters] and in magazines but also, for example, on some tourist monuments, providing instant details on the site being visited.”  

A QR code on your business card allows associates to add your contact information to their phones. Businesses also use them to give directions to events and direct consumers to coupon sites. 

Magazines and newspapers commonly use QR codes to help control their copy costs while still keeping the readers informed. For example, The Wall Street Journal used three codes in the main section of their September 13 edition: one that read, “Scan this code for continuing coverage of the Syrian crisis” and two to direct readers to “Scan a video ...” to learn more.

QR codes, compared to typical UPC barcodes, have more storage space for URL links, text and geo coordinates. For years, marketers have printed URLs on products to encourage consumers to visit sites. However, would-be customers have to write down the URLs and type them into their browsers on their phones or at home. No need to do that with QR codes. 


Opportunistic fraudsters have developed several variations of QR code click jacking. They substitute real QR codes with bogus ones. Victims who scan the fake QR codes are directed to malicious websites with realistic bogus screens. Then, as in any phishing scheme, victims are prompted to provide personally identifiable information (PII), which then fraudsters use for identity theft. Or, depending on the type of device victims use, they’re directed to malicious websites, which include malware that may be directly downloaded to the victims’ smartphones. Possible result? Online banking fraud.


According to Scambusters’ “5 Ways to Avoid a QR Code Scam,” here’s some advice:
  • Never scan a code box that doesn’t appear to be linked to anything else and has no accompanying text — for example, just stuck on a wall or floor.
  • Be wary of scanning codes in public places, such as transportation depots, bus stops or city centers.
  • Check first to see if a code is on a removable sticker. If so, don’t scan.
  • If you scan a code and find yourself on a web page that asks for PII such as passwords, don’t key in the information. Nothing is that important. You can always investigate the product later.
  • If you encounter a possible bogus QR code attached to a product, advertisement, poster or building, warn the owner of the site. 
  • Use a scanner app that actually checks the website the QR code is directing you to before it takes you there. Smartphones that use the Android operating system are the most vulnerable. Secure reader apps are available. Just do a search for “secure QR reader app.”
Information portal or fraud gateway? 
According to the qrmedia website, Symantec is offering a new QR code scanner for Android phones from Symantec, Norton™ Labs Snap. Symantec claims that it “protects you, your mobile device, and your important Stuff from online threats that may come from QR Codes” by warning you of dangerous QR codes and blocking unsafe websites before they load on your device, according to “QR Code scanner protects from malicious QR Codes.” 

The qrmedia site says the application automatically scans QR codes; and checks to see if they’re safe; blocks unsafe, fake or phishing sites; and stops online threats before a browser loads. We’ll see. No word yet on possible QR code blockers for iPhones.


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.