QR Codes and Phishing: as technology gains popularity, scammers are never far behind.

Phishing scams are familiar to anyone who has a phone. Most of us have received phony calls, social media comments, emails or SMS messages claiming to be from Amazon, eBay, banks, phone companies, Australia Post or even the ATO. And if you think they’re getting more common and more annoying, it’s not just you losing patience—you’re completely right.

In a recent media release, the ACCC’s Scamwatch announced that Australians reported a record $211 million in losses to scams over a nine month period in 2021. They specified that phishing scams rose by 261% in that period.

A phishing scam, for anyone yet blissfully unaware, is a specific kind of scam in which the cybercriminals pretend to represent a legitimate business or charity to gain access to your personal information and, usually, your banking or credit card information.

However, some recent news from the USA is the first we’ve heard of a particular kind of phishing scam: QR code fraud. In Houston, San Antonio and Austin, Texas, police have taken to social media to warn residents that scammers are slapping phony QR codes on parking signage, which, when scanned, link unsuspecting motorists to fraudulent payment portals.

The news prompts us at DCA’s Cities Team to reflect on the issue of increasingly sophisticated fraud and the role of QR codes in parking.

QR (Quick Response) codes are not a particularly new technology. They operate similarly to barcodes, but they use the pixels on a grid instead of the lines used in barcodes, which enables them to store more information—about two hundred times as much information, according to a 2020 interview with inventor Hara Masahiro. In Australia, their use has been lately popularised by mandatory government check-ins, which have helped us track the progress of the coronavirus pandemic. But it might surprise you to learn that QR codes were actually invented back in 1994, for a variety of logistical uses in industry.

Most QR codes scanned by consumers through their smartphones will tell a phone to go to a website for an advertiser, a charity, or a government agency. Perhaps they’ll take a user to a social media app, or be the download link for a PDF. But their use as a vector for scams is relatively recent—we began seeing warnings from the Australian Cyber Security Centre (ACSC) in 2020, just as their use in tracking Covid-19 pandemic began to expand.

QR Codes do see legitimate use in smart parking systems. They’re used sometimes as a quick way to take motorists to Google Play or the App Store, where they can then download a secure app to pay for their parking. Such secure apps will be compliant with both the Google or Apple store’s quality standards and the payment card industry data security standards (PCI-DSS). These standards protect consumers.

But just as any scammer could send a dodgy SMS to say “Your order has shipped—track your parcel at this link!” anyone can also create a QR code, print it on adhesive paper, and slap it on a parking meter.

Phishing scams come in all shapes and sizes, but they all have one thing in common: they pinpoint the end user as the most vulnerable point in a given system. Because phishing exploits the end user, rather than the technology itself, it can pose a significant problem for organisations to manage. Businesses must place QR codes in clear, prominent spots and regularly confirm that they haven’t been replaced, but when you’re managing not just a single store front, but a sprawling network of signs and meters, it can be extraordinarily difficult to keep up with every QR code.

The best practice defence against phishing is user education. There’s no getting around this, because the user is the vulnerability that such scammers aim to exploit. End users need to have the tools to critically assess the legitimacy of a website, particularly one that asks for their personal information or credit card details. To that end, reporting, advocacy and government agency websites such as the ACCC Scamwatch or the ACSC should be the first ports of call for consumers looking to make a report about a scam, find out more, or simply improve their cybersecurity literacy and protect themselves.


News Categories