By Terri Jo Neff |
QR codes can be scanned to download a coupon, sign in at a medical appointment, even look at a restaurant’s menu while waiting to be seated. They can also used by cybercriminals to scam people, the FBI is warning.
A QR code is a square barcode that a smartphone camera can scan and read to provide quick access to a website. It can also be used to prompt the user to download an app or process a direct payment to an intended recipient. And businesses large and small utilize QR codes for customer rewards programs.
The popularity of QR codes grew during the COVID-19 pandemic in part due to the contactless nature of the technology. But more and more cybercriminals are now tampering with the codes to surreptitiously redirect victims to a malicious site in order to steal login and financial information, the FBI warns.
“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” the FBI stated. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”
The scammers can also utilize a QR code to embed malware which allows a cybercriminal to gain remote access to a victim’s device, and even redirect money transfers to the criminal, according to the FBI. The cybercriminal can even leverage financial information stolen from the device to withdraw funds from the victim’s bank accounts or credit / debit cards stored on the device.
“Law enforcement cannot guarantee the recovery of lost funds after transfer,” the FBI stated.
Companies are advised to consider whether the immediate convenience of offering QR code options is worth the potential cost of dealing with security breaches and disgruntled customers.
And for those consumers who really want to utilize QR codes, the FBI has some suggestions to reduce -albeit not eliminate- the risk of falling victim to a scammer.
According to the FBI:
- Do not download a QR code scanner app, as this increases your risk of introducing malware onto your device. Instead, use the built-in code scanner incorporated in your camera app.
- Avoid making payments through a site you were sent to via a QR code. Instead, manually enter a known and trusted URL to complete the payment.
- Also, use caution when asked to enter any login, personal, or financial information from a site you navigated to from a QR code.
- If you receive a QR code that appears to be from someone you know—such as a local business or medical provider—contact them through a known number or address to verify they sent you the code.
- Do not download an app to your device via a QR code. Use your device’s app store instead for any download.
- If scanning a physical QR code, ensure the code has not been altered or tampered with, such as a sticker placed on top of the original code.
- Once you scan a QR code, check the URL it opened to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Finally, if you receive a notice of a failed payment from a company you recently made a purchase with and the only option you are given for completing the payment is via a QE code, call the company to verify. But do not use the phone number included on the notice—ensure you obtain the number through a trusted site.
If you believe you have been the victim of a QR code scam, contact your local police department or sheriff’s office. They may conduct the investigation or refer the matter to the nearest FBI office.
Meanwhile, suspicious QR code activities can reported directly to the FBI Internet Crime Complaint Center at www.ic3.gov