“Latest Spam”
By Scott Hamilton
After all the years I have written about the latest technology and the number of times I wrote about QR codes, I can’t believe I fell for it. I usually watch “Real America’s Voice” newscasts on RokuTV and made a critical mistake while watching last week. There have been a bunch of new advertisements after Trump won the election offering a lot of “free” Trump stuff.
The ads may say that all you have to pay is shipping. I’m no dummy, I know they are overcharging for the shipping to cover the cost of the products included in the package. However, what I did not realize is that the QR code in the ad, to make it easy to reach their site, is a special new type of spam.
I guess first I should describe which spam. It is not the canned meat product, but rather a special classification of e-mail meant to trick you into clicking a website link, downloading software or sharing private information with another party. Not all spam is dangerous but all spam has the main goal of gathering personal information. This is usually for marketing products and services.
The second thing I should describe is a QR code. A QR code is one of those strange looking, usually square symbols, with a seemingly random series of dark and light sections. These QR codes can store massive amounts of information given their size. You can think of them like a fancy bar code that can contain full messages. The one on these new TV ads opens the vendor’s website, but it apparently also shares information with the advertising vendor.
I found this out the hard way by taking an interest in one of the products and scanning the QR code with my phone. It was less than 10 minutes later that I received my first text message from the product vendor, and over the last five days I have received 20 text messages, 15 e-mails and thankfully no phone calls. I am probably not getting calls because I am on the do not call registry. It would not be so bad if it was just contacts from the advertiser, but I am getting them from partner companies as well.
After this unpleasant experience I thought it would be a good idea to share a piece of advice I have shared before. It goes something like this, never trust a source of information that provided itself. For example if you have the choice of returning a call from your credit card company to the number they called from, or the number on your card, always use the number on your card. If you have the choice between typing the website address yourself or scanning a QR Code to reach the site, always type the address. You don’t know what else may be hiding in the code.
The same goes for e-mail, if you get an e-mail from your credit card company or bank, even if it looks legitimate, unless you were just on the phone with them and they said they would send it, don’t click any links or reply to the e-mail with any personal information. Call the bank, don’t respond to the e-mail. This is one of the fastest ways to give someone direct access to your accounts.
There has been recent research by Cisco Talos warning that a majority of the QR codes you find on products, advertising signage, websites and commercials are spam. They are designed to do what has been termed “Quishing” which is QR code fishing. If you don’t know the term, “fishing” means fishing for information and QR codes are the latest mechanism. It has been found that one in every 500 e-mails contains a QR code, which bypasses spam filters in your e-mail. That’s not the scary part – a staggering 60 percent of the QR codes in e-mail contain spam or quishing content making them dangerous. The even worse part is that there is no easy way to detect a QR code in an e-mail, or to analyze the QR code for malicious content.
The safest thing to do is not to trust a QR code unless it is one you created for yourself. Just like a lot of the tools designed for efficiency, it comes with a sacrifice, and in the case of QR codes, it may be the security of your personal information. Until next week stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to sh*******@te**********.org or through his website at https://www.techshepherd.org.