The FBI recently issued an announcement regarding the use of malicious Quick Response (QR) codes by cybercriminals to redirect victims to malicious sites that steal login and financial information.
A QR code is a square barcode that a smartphone camera can scan and read. They are used to perform a variety of functions, such as opening a website, prompting the download of an app, or even directing payment to an intended recipient. Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However according to the FBI, “Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.”
Typically, cybercriminals will tamper with QR codes, either digital or physical, to replace legitimate codes with malicious codes. A victim then scans what they think is a legitimate code, but the tampered code directs victims to a malicious site, which may prompt them to enter login credentials or financial information. Access to the victim’s information gives the cybercriminal the ability to potentially steal funds through the victim’s accounts.
They warn that malicious QR codes may also contain embedded malware, which can allow a criminal to gain access to the victim’s device or steal the victim’s location, as well as personal and financial information.
While QR codes are not inherently bad, it is important to practice caution when entering financial information or providing payment through a site reached via a QR code. Once transferred, law enforcement cannot guarantee the recovery of lost funds.
Tips from the FBI to protect yourself…
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.