I explained to Kidlet, my youngest, today that it's a bad idea to scan strange QR codes. The ones on documentation that came with new phones and such are probably fine (they'd better be!) but I've seen 'em posted on "missing pet" signs, concert signs, yard sale posts on community websites, etc. How do you know where those lead? Get a good hook like "lots of free stuff!", "reward for lost dog!", or "sign up to be in the yard sale!" and yeah, people are going to click. They'll believe whatever the wording around the digital square implies it leads to.
I know it's an old trick by this point, but I really want to run a test with a QR code that links to a fake phishing website. Maybe set one up that says "you shouldn't have scanned that! This could be malware!" and post the QR code to it with text that says "register here" on walls in high traffic areas to see how many hits I get. Public service phishing tests...*
Then again, I'm also the person who got notifications that my email address was being used to register for new things and download new apps that I certainly hadn't signed up for. Almost NO digging and clicking on links showed that the person doing it was a little old lady in MN** who got her first smartphone and didn't understand how email or the 'net works. From the information she provided in her use of my email address in her registering and downloading things I was able to run a quick public records search and in less than a minute had more than enough of her PII (personally identifiable information) to take over her life and ruin her. It started with things like her street address, full name, and age and went from there. I even had her nearest relatives and their contact information...
So I sent her (through Amazon) a few books on internet safety and "how to Internet" specifically aimed at seniors, along with a note saying "you got a cranky-but-benign person... this time. Please read these books and be safer from now on." One of the books miiiiight have had "for Seniors for Dummies" in the title. No problems since... I imagine that Ms. M's pride was a little injured, but better her pride than her finances and safety. I know quite well what can be done with even a fraction of the information she gave out alongside an email address she likely thought she made up and sounded pretty.
I mean, usually I'm quiet and passive. But if I do set traps (usually because people infringed on my peace and quiet or my ability to use my assorted accounts in peace) they tend to be of the "here's why you shouldn't have done that, what if I was a Bad Guy?" type. I hope it's kept at least a few people more secure than they would have been, even if they got mad at me.
Thing is, the people using my email for stuff without checking that it's free to use? They're having companies send their PII to me, a total stranger with unknown motives and abilities. It's insane, and I really worry about the ones who are doing this and getting bad actors (instead of cranky vaguely benign types) on the other end. Yeah, it's technically their problem, but the people doing this are very often not in a financial position to afford ANY loss. I don't want someone on a fixed income whose biggest joys are their memories and their religion to lose food or rent money because they didn't understand how the internet, email, and digital services work. Maybe I can help a little... even if it is with some extra snark added. I'd rather these people have hurt feelings than hurt lives.
*I just had a lovely idea for a company pen test!
**Locations and identities changed to protect the hopefully formerly clueless.