QR codes are useful shortcuts to online resources via a phone's camera, but scammers are now tampering with them to direct victims to phishing pages and cryptocurrency scams.
QR or 'Quick Response' codes have been connecting scanners to real-world objects since the 1990s, but got widely adopted during the pandemic as businesses moved to contactless communication and payments via QR codes on restaurant menus, parking meters and other public spaces.
But scammers are now targeting the QR code's increased familiarity by tampering with the pixelated barcodes and redirecting victims to sites that steal logins and financial information, according to an FBI alert.
SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse
"Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use," the FBI notes in its alert.
It doesn't cite any recent examples of QR scams, but follows the use of QR codes in phishing emails to steal Microsoft 365 credentials in October. The QR codes were useful to attackers because the barcode images bypassed email filters that use URL scanners to block malicious links.
The FBI in October said it had recently started to receive reports about malicious QR codes being used, particularly in cryptocurrency scams. "Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks," the FBI noted.
"Do not scan a randomly found QR code," the FBI warned.
Ars Technica reported about scammers placing fraudulent QR code stickers on parking meters in major Texas cities. These aimed to trick people into paying for parking to a fraudulent website. The social engineering element was that parking meter terminals today frequently have signs with QR codes to direct users to a non-city, third-party parking payment app.
The FBI's alert addresses this type of scam, too: "A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender's payment for cybercriminal use."
QR codes can also load malware to steal financial information and then withdraw funds from victim accounts, the FBI warns.
There are parallels between email phishing and malicious QR codes stuck on public spaces. How do people know which ones to trust? Employee cyber-awareness training usually tells users not to click on links from unsolicited email, but they still do.
Some of the FBI's self-defense advice warns against following common practices when using a QR code, but the overall message is to exercise caution when entering information from a website accessed via a QR code.
"Law enforcement cannot guarantee the recovery of lost funds after transfer," it warns.
The FBI's tips for smartphone users include: check the URL after scanning a QR code because the URL may look like the legitimate site; be careful when entering credentials or financial information on a site visited via a QR code; avoid downloading an app from a QR code and instead use an official app store; and call the organization if it sent a bill in email, allowing payment through a QR code in order to verify its authenticity.
Also, don't download a QR code scanner because most phones have one built in to the camera. (The iPhone got one in 2011 in iOS 11, with Android makers quickly following suit.)
Finally, avoid making payments through a site navigated to from a QR code, the FBI warns. Instead, manually enter a known and trusted URL to complete the payment.