COVID-19 data collection – how to stay safe and avoid scams
- Written by Aaron Bugal, Global Solutions Engineer at Sophos
Scammers will take advantage of any situation they can to obtain personal information and, often, financial reward. The COVID-19 situation is no different. According to the Australian Government’s Scamwatch, more than 6,100 COVID-19-related scams have been reported since the outbreak of COVID-19, resulting in people being scammed out of more than $8.4 million.
Now a new vector for COVID-19-related scams has arisen – QR codes. (QR stands for quick response, in case you were wondering.) Across Australia, bricks and mortar businesses are now required to have QR code check in to make it easier for contact tracing in the event of an outbreak. And those QR codes are easily spoofed, often by simply sticking another, fraudulent QR code over the top. How can business owners and consumers protect themselves against this new scam?
QR codes – the wild west
When the pandemic hit, and businesses were asked to have people check in, it gave rise to any number of data brokers offering check-in services to businesses. These all had their own privacy policies (which few people ever take the time to read, generally because they’re long and impossible to understand) and often asked people to check a small box if they didn’t want to receive marketing materials. Of course, a lot of people would miss this box.
Businesses using these data brokers all had the same obligations under various pieces of privacy legislation: they had to ensure the personally identifiable information was stored in an approved manner, that people could opt into marketing campaigns associated with their PII, and that the information was destroyed after a certain period.
It quickly became apparent that this situation was not ideal on two levels. First, there was no overarching rules about the data brokers. While they were bound by legislation associated with collecting PII, there was no guarantee that it was not going overseas. It was also vulnerable to being hacked and sold on the dark web.
The second issue was that without a centralised data collection process, it was difficult for contact tracers to get the information they needed if there was an outbreak.
Most Australian state governments saw the light towards the end of 2020, and this wild west situation came to an end. NSW, for example, mandated all check-ins had to be made through its Service NSW app, easing the situation for contact tracers and giving consumers better privacy protection as their data wasn’t being collected by brokers.
Government tracing opens the door for scammers
Putting a QR code at the entrance of every business seems like a great idea – and it is, until it isn’t. Why? Because it’s relatively easy for a scammer to simply paste over the QR code with their own fraudulent code.
A business owner might not immediately notice that their code was replaced by something else and, for consumers, it’s nearly impossible to know, simply by looking at the code that things are not as they seem.
That’s because QR codes, like their less intelligent barcode brethren, aren’t readable by humans. To us, all QR codes look the same.
Scanning a scam QR code could take you to a portal that looks like the real thing. As with phishing emails (emails designed to look like they come from a legitimate sender in a bid to extract personal and financial information), a scam QR code portal could have logos and other information that look legitimate.
Spotting these scams is a little harder. Business owners and consumers need to be aware that a government sign-in, like the Service NSW app, will always keep them within the app itself. It won’t divert to a web page, even if that web page looks legitimate.
But what if you don’t have an official government app in your state? Then the QR code will take you to a web page. So, you need to know how to spot a scam check in website.
If it asks you for credit card information, it’s a scam. Check the URL that loaded – make sure it doesn’t have lots of unusual characters and numbers in the address bar.
Business owners can protect against these scams by regularly checking their signage for tampering, while the best protection for consumers is to use the official government app for their state or territory.
As COVID-19 precautions become increasingly normalised into our business and personal lives, business owners should now have transitioned onto government apps, and consumers should be using them too. With a few simple precautions, businesspeople and customers can protect themselves against QR code scams – keeping their personal and financial information safe.
