Scanning a Quick Response or QR barcode is a quick, contactless way for people to use their smartphone cameras to do everything from read a restaurant menu to pay bills, but cybersecurity experts say the growing popularity of QR codes during COVID-19 has also made these easy targets for cybercriminals.
“Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic,” the FBI noted in a recent public service bulletin. “However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.”
Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. Victims scan what they think to be a legitimate code, but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. This gives cybercriminals the ability to potentially steal funds through victim accounts.
Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information, the FBI said. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.
The Pew Charitable Trusts this week reported on a QR code scam that has targeted drivers using park-to-pay kiosks in several large Texas cities. Scammers slapped fake QR code stickers on the pay stations and drivers who scanned these were directed to a website that asked them to enter their credit card or bank account information.
In Atlanta, fake parking tickets that feature a phony QR code have been found on cars. When owners scan the QR code to pay the parking fine, they are directed to a fraudulent website that asks them for their financial information. Real Atlanta parking tickets do not contain a QR code, Pew said.
The FBI said that while QR codes are not inherently malicious, it is still important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. The FBI shared these tips:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL, but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.