When you think about a scam, what comes to mind? Perhaps you think about receiving a poorly drafted email saying “You Just Won $500! Click HERE NOW!”. Maybe you think about a sketchy salesperson approaching you about a timeshare in Hawaii that seems way too good to be true.

When we think about scams like these, it can be easy to say to ourselves: “I could never fall for something like that!”. Now, perhaps you would not fall for such an over-the-top or blatant scam as the ones mentioned above. However, it would be foolish for us to let our guards down and underestimate the craftiness of modern scammers. The truth is malicious attackers have become very creative in the tactics they use to dupe their victims. The traps they have set may be where you least expect them to be!
QR Codes and CAPTCHA Tests

To Scan or Not to Scan?

The use of QR codes has become increasingly popular nowadays. You can find them just about anywhere from viewing restaurants menus to performing monetary transactions at places of business. These especially became more common during the height of the pandemic. Scanning a QR code with a smartphone is convenient and easy, but malicious attackers have begun exploiting features like these.

QR Codes and CAPTCHA Tests
In several Texas cities, scammers would slap fake QR codes on parking meters. Scanning this code would take the victim to a phony website asking for a credit card. Police say it is unknown just how many people could have been duped and had their card information compromised, as these fake QR codes were found all over the city’s meters. Aside from public spaces, scammers have also begun including the use of QR codes in phishing emails.

Of course, being directed to a fake website is not the only danger when it comes to scanning malicious QR codes. They can also connect a victim’s device to a malicious network and share the user’s location. Malware embedded in the QR code can automatically initiate phone calls, draft emails, and send text messages. Automatic fraudulent payments may also be initiated.

Are You a Human?

CAPTCHA, otherwise known as “Completely Automated Public Turing test to tell Computers and Humans Apart”. A mouthful for sure, but it is likely you have run into these tests many times while browsing the web. Perhaps it stated you need to pick out all the images of fire hydrants or type out the terribly scribbled characters shown in an image. Despite their rather odd method of human verification, CAPTCHA tests have become very commonplace in the digital age today. Even though they may be frustrating at times, at least they are always a sign of credibility, right? Well, not quite.
QR Codes and CAPTCHA Tests
Scammers know that CAPTCHA tests can provide a sense of legitimacy. And the truth is, anyone can create one of these pages. This makes them a very deceptive tool in the hands of a scammer. For example, in 2020 a phishing attack made on Netflix users included the use of one of these pages. Users were sent an email titled “Notice of Verification Failure”, detailing an “issue” with the customer’s billing information. To add to the email’s credibility, a link was provided that took customers to a CAPTCHA page with Netflix branding. Once a victim correctly completed the test, they were led to a Netflix lookalike log-in page which would steal credentials.

As we can see, the sole purpose of the CAPTCHA page was to provide a false sense of legitimacy. The CAPTCHA page itself was not the scam, and it may seem like a very small or unimportant thing to include. However, it reinforced the email’s credibility and led to many customers having their login credentials stolen!

How to Protect Yourself

Now that we have discussed some methods that malicious attackers use, how do we ready ourselves for when we come across scams like these? Let us consider some tips for each.

Fake QR Codes