FBI warns of surge in malicious QR codes

QR codes have become the new normal for contactless transactions during the pandemic and the FBI is now warning the public that cybercriminals are capitalizing on this technology’s lax security to steal data, money, and drop malware.

I’m sure you’ve seen them everywhere – those square, scannable codes that deliver touchless menus at restaurants, airports, grocery stores and even on product packages. QR codes have exploded in popularity since the pandemic as the go-to solution for contactless interactions using the smartphones we already have. But the FBI just issued yet another alert warning the public that these QR codes are easily tampered with and can be used to direct victims to malicious sites.

How do QR codes work?

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants, and have gained in popularity over the pandemic as contactless interactions have become the norm. Simply navigating a smartphone camera over the image allows the device’s QR translator – built into most mobile phones – to “read” the code and open a corresponding website.

Why is this a problem?

You might scan appears to be a legitimate code, but the tampered code could direct you to a malicious site which prompts you for login and financial information. The FBI warns that entering this information gives cybercriminals the ability to potentially steal funds from your accounts.

How is this being misused?

The FBI has observed threat actors using malicious QR codes to download malware that takes control of a victim’s device, then access financial data and steal money. Cybercriminals are also swapping out genuine QR codes for their own, intercepting payments, collecting cash and data. A recent survey from the IT security company, Ivanti found that 87% of respondents felt secure carrying out financial transactions following QR codes. The evidence suggests that user security confidence in QR codes is misplaced.

Just last summer the Better Business Bureau issued an alert that scammers were increasingly abusing QR codes in innovative ways. For example, one elaborate scheme started with a malicious QR code and ended with sending victims to gas stations to use Bitcoin ATMs and you can bet new QR code-based scams are just around the corner.

The Takeaway

The FBI offered the following tips to help you from becoming a victim:

  1. Double-check the URL of any site pulled up with a QR code to make sure it’s legitimate. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.

  2. Before engaging with a QR code, check to make sure the code itself hasn’t been tampered with. The FBI suggests looking for evidence a sticker has been slapped over the original code.

  3. The alert cautions users against downloading an app from a QR code rather than the App store, which has more security protections.

  4. Do not download a QR code scanner app: The FBI said, “this increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.”

  5. Don’t make payments to a site accessed by a QR code

  6. If you receive a QR code that you believe to be from someone you know, reach out to the person through a known number or address to verify that the code is truly from them.

Stay safe out there.

-A

PS. We were on ThinkTech last week, talking with Jay Fidell about how Cybersecurity is important to maintaining or increasing the revenue potential of local businesses. It’s a short interview – though you or someone you know may find it interesting.