People in France are warned to be alert to scammers using fake QR codes to steal personal data or install malware on your smartphone, via codes on everything from menus to advertisements.
QR code use is spreading across the country, with more public places employing them to make accessing information easier for the public.
To use them, you must hold up your phone (either your camera or a QR code app) to the QR code (a unique design of small black and white squares), which will take you to a pre-specified link. This might be a webpage or an invitation to download an app.
Restaurants may use them to give you easy access to the menu or a payment platform, or to grant codes to the WiFi network, for example. They may also be found on the side of packaging to offer more information, in magazines, shops, or on public transport.
The practice has increased since the pandemic (when QR codes became standard on health and vaccination passes during the crisis), meaning opportunities for scammers to exploit the technology have also risen.
Researcher Len Noe, at cybersecurity firm CyberArk, told Le Parisien: “It has taken years to tell people not to click on a doubtful link by email, and now we are starting again with these QR codes, which are just ‘phishing’ campaigns in another form.”
How does the QR code scam work?
It is relatively easy to create a QR code, via free websites or graphics platforms. This means that it is also easy for scammers to use them for criminal ends.
Once the scam QR code has been created, a fraudster only needs to stick their code over an existing one, say on a paper or plastic menu.
The ‘fake’ QR code can then take the user to a website that looks similar to the original, but which then asks for personal or banking data. It can also enable the downloading of malware: software that instals onto your smartphone and takes control of it, steals your passwords, or similar.
How can you detect a scam QR code?
Consultant at cybersecurity firm CheckPoint Adrien Merveille said: “This is usually not done by large hacker groups. It’s usually local criminals who target tourist sites, where they have physical access to ‘hijack’ QR codes.”
It is impossible to see whether a QR code is fake just by looking at the design alone, but these tips may help you spot them:
Make sure the QR code is not a sticker added on top of a real code
After you scan the code, check that the URL is correct for the page you were expecting
Avoid downloading an app, or if you need to for the correct intended purpose (such as paying for your restaurant meal), double-check the details thoroughly before you download it
Do not download any app – even if you believe it is genuine – that asks for access to your microphone, contacts, or geolocation
Avoid connecting to public WiFi without using a VPN (a ‘virtual private network’, which hides your IP address so hackers cannot access your details)
You can report any scams to the website Cybermalveillance.gouv.fr.