Online shoppers warned of QR code phishing scam
With Black Friday on the horizon and peak holiday shopping underway people are expecting deliveries. When shoppers are tracking multiple orders at once they are far more willing to trust a parcel that arrives unexpectedly and a new quishing scam is looking to exploit that.
If scammers have your name and address from previous data breaches, scraped social media posts or public directories, they cab easily make a fake parcel look authentic. Adding a QR code makes people think it’s related to tracking or returns so they’re likely to scan it without thinking.
“The first thing people need to understand is that an unsolicited parcel is not just an inconvenience. It can be the opening to a much more serious breach. When a box arrives at your door with your name correctly printed on it, it feels legitimate, says Theodore Ullrich from Tomorrow Lab. “People assume it must be a gift or a mistake. That assumption is powerful and criminals know it. They are using that moment of curiosity to push victims into scanning QR codes that lead directly to phishing pages.”
This is similar to the fake QR codes stuck to parking machines which redirect the unwary to fraudulent payment portals.
“Scammers use big retail events as cover. When your inbox is filled with shipping updates and your hallway is filled with cardboard, you stop questioning things. That is when people fall victim. I am genuinely concerned that we will see a spike in these incidents because the timing is ideal for criminals,” adds Ullrich. “Treat every QR code with suspicion unless you know exactly where it came from. Scanning a code in a parcel that you never ordered is never a good idea. Even if the page looks familiar, even if it uses the correct branding, even if it tells you it is simply verifying your address, close it. It only takes a single scan for the entire attack to unfold.”
The arrival of an unusual parcel needs to be taken seriously. If you didn’t order it you shouldn’t trust it. The first step is to contact the delivery or sending company through official channels. You should also ensure that you use multi-factor authentication on your accounts as far as possible.
Have you been caught out by a fake QR code? Let us know in the comments.
Image credit: Kemedo/depositphotos.com