Learn about how QR codes are adding a new layer of fraud to brushing scams and how to protect yourself
Brushing scams are evolving with a new tactic that poses a serious risk to companies across industries, especially those with online applications, websites, or mobile apps. Traditionally, brushing scams involved sending unsolicited packages with random products to create fake, "verified" purchases and artificially boost seller ratings.
Now, scammers are embedding QR codes in these packages, disguising them as if they were sent from your company, and directing recipients to malicious websites to gather personal information or compromise user accounts.
How the Scam Works
1. Unsolicited Packages: Recipients receive unexpected packages with random items and a QR code attached. These packages, featuring your company logo and brand, look like they were sent from your company.
2. Social Engineering: Recipients are encouraged to scan the QR code inside your application, often with a promise of rewards or verification purposes.
3. Malicious Redirection: These QR codes link to fraudulent sites designed to collect personal information, solicit fake reviews, or even execute unauthorized transactions. In some cases, these malicious sites can trick users into disclosing credentials, which scammers can then use to access online accounts or infiltrate your systems.
Why This Is a Risk to Your Application
For companies with online applications that provide QR code scanning capabilities, QR code brushing scams pose a significant threat. Once users scan these codes, they can be redirected to phishing pages that resemble your application or website.
This can lead to credential theft, unauthorized access, and further compromise, including a potential reputational risk to your company. Businesses with websites, apps, or online portals are particularly at risk, as scammers may use phishing tactics to lure users into sharing sensitive information through malicious redirects.
How to Protect Against These Risks
To mitigate these risks, companies should implement URL and domain scanning solutions that can detect and block suspicious links before users are exposed to them.
Solutions like IPQS's URL and Domain scanner can evaluate QR code-linked URLs for indicators of phishing, malware, or malicious redirects. Additionally, educating users about the dangers of unsolicited QR codes and encouraging caution when scanning can provide an extra layer of protection.
By staying proactive, companies can safeguard their users and applications from this new wave of QR code brushing scams, reinforcing the security and trust essential to a safe online experience.
IPQS URL and Domain Scanner
So, how can you be sure a QR code link is safe, and how can you protect your customers and online users? That's where IPQS URL and Domain Scanner comes in:
Instant Link Safety Check – IPQS URL and Domain Scanner instantly evaluates links for phishing, malware, and suspicious redirects.
Phishing & Malware Detection – In addition to verifying the URL itself, our technology analyzes domain reputation, past behavior, and any suspicious activity. With the IPQS risk score, you will know when a site is safe and when it's a potential scam.
Mobile-Enabled, Real-Time Security – Businesses can integrate IPQS directly into their native mobile apps through our Mobile SDK.
After using IPS to score and validate the URL and Domain, you control the next steps a user should take in your application. Either continue to the expected step or prevent them from navigating into a malicious site.
Ready to Take Control?
With QR code brushing scams on the rise, protecting users before they interact with malicious content is critical. IPQS's advanced, real-time URL and Domain Scanner can help detect phishing sites, stop malware, and block suspicious redirects.
For more information, visit ipqs.com.
