Smart Device Users Beware: Fraud May Be Just a Click Away
You’ve installed anti-virus software to protect your business network and personal computer. You know the signs of phishing scams (including unfamiliar senders, poor grammar and misspelled words). And like most people who use the Internet today, you never open a suspicious e-mail or download files from a questionable website.
But what have you done to protect your iPhone, Android or tablet from cyber theft?
Many smart devices currently operate without anti-virus and malware protection. Although there haven’t been many high-profile fraud cases involving smart devices, opportunistic hackers are targeting these devices as the world of quick response (QR) codes grows.
What are QR Codes?
QR codes are square, two-dimensional barcodes that were originally used by auto manufacturers in the 1990s to track vehicle parts. Today, QR codes have become a popular marketing tool for businesses to connect with customers using smart devices.
You’ve probably seen QR codes in magazine ads, on business cards and product packaging—even in taxis. Instead of remembering a web address and typing it into your browser, you can simply snap a photo of a QR code with your smart device.
Once clicked, QR codes perform all kinds of functions, quickly and easily. For example, a code might link to product specs on the company’s website, enter the user into a prize contest, provide directions to an event, purchase a product using a PayPal account, “like” a company on Facebook or download coupons.
Unfortunately, QR codes can also be used to commit fraud.
Anatomy of a QR Code Scam
Some QR codes are self-contained. That is, all the product information is coded into the image. If you have a QR reader on your smart device, it auto-converts the image and directs you to a website.
Other QR codes require you to download or purchase an application (app) to access an online server, which looks up the desired information or performs some other function. Both types of QR codes—direct and indirect—are susceptible to fraud.
Scammers can, for example, embed shortened URLS into QR codes to misdirect victims to cloned websites, where the fraudster sells product without ever fulfilling the contract or installs malware to gain control over the device. The next time the user accesses his or her mobile wallet or PayPal account, the malware captures that information and makes fraudulent charges.
Alternatively, proprietary apps pose a security risk by allowing the QR code author to install measurement and tracking systems onto the smart device. Most QR code apps require consent to a user’s agreement—which many people fail to read—and these could authorize the QR code author to track your cell phone usage, access your contacts and other personal information, or ring up charges for premium texts on your cell phone bill, for example.
An even bigger threat occurs when the user connects the smart device to a computer to charge it or sync data. The malware can “leap” to the PC, infecting it and any networks to which the computer is linked. This security risk is one reason some companies are leery of implementing bring-your-own-mobile-device (BYOD) programs.
Users Provide the First Line of Defense
Surprisingly few iPhone, Android or tablet users have taken steps to protect against fraud. Here are four simple things you can do to protect your smart device starting today:
- Never click a QR code in a public place, such as a bus stop or mall. Only scan QR codes from trusted sources or vetted by third parties. Be especially careful when traveling overseas where QR code “clickjacking” scams tend to be more common.
- Always check a QR code for a sticker before scanning it. Use your fingernail. If it looks like a sticker, it could be a scam.
- Never provide personal information or passwords if requested by a website linked to a QR code, even if the site appears to be legitimate.
Install a QR code scanner app that screens URLs before directing you to the site. These apps block unsafe sites and stop online threats before they’re downloaded to your device. Search for “secure QR reader” on your smart device. Read the reviews and select one from an anti-virus software provider you know and trust.
The end result of all this is simple: Your smart devices are personal computers. Treat them that way. Don’t wait for a major cyberthreat to occur to prove that smart devices are vulnerable to viruses and malware.
QR codes appeal to fraudsters for several reasons:
They’re easy and cheap to create. All you need to do to set up a QR code is go to an online service and enter a web address. The site generates a QR code in seconds for free.
Malicious codes can be printed on stickers and placed on top of legitimate QR codes. Or a fraudster might post the code on a subway station bulletin board or a tourist monument and wait for curious victims to click on the image.
The human eye can’t decipher QR codes. People can’t tell a legitimate QR code from a malicious one. So it’s easier to hide a “clickjacking” scam than a phishing scam or virus. Smart devices don’t usually slow down or show any other signs of “infection” until the user’s data has long-since been compromised.
QR codes are relatively new, but rapidly growing. Hackers will increasingly exploit QR codes as more people purchase smart devices and more businesses use them for marketing purposes.
Users new to the QR code world may be unfamiliar with the risks of clicking on malicious codes and may not be security-conscious enough when using their smart devices.
Consult with Professional Advisors
Jill has been with Lumsden McCormick for nearly 15 years, joining the Firm upon graduating with honors from the University at Buffalo. She is a principal in the auditing and accounting department performing attestation services. While her focus has been in the health care industry, Jill has a broad range of skills applicable to commercial enterprises. She has an understanding of the underlining concerns all businesses face related to technology controls and data security and is certified in fraud prevention, detection and deterrence. Her ability to perform audits and risk assessments has only been enhanced with her certification as a Certified Fraud Examiner (CFE) by the Association of Certified Fraud Examiners and as a Certified Information Technology Professional through the American Institute of Certified Public Accountants (AICPA). Jill is a member of the AICPA New York State Society of Certified Public Accountants (NYSSCPA), NYSSCPA Technology Assurance Committee, the Association of Certified Fraud Examiners (CFE) and the Information Systems Audit and Control Association (ISACA).