FBI Warns of Cybercriminals Using QR Codes to Steal FundsBoth Digital and Physical QR Codes Being Tampered With to Spread Malicious Code
Businesses of all sizes, but especially small and medium-sized enterprises, are using quick response - or QR - codes to carry out contactless operations amid the rise and spread of the COVID-19 pandemic in the past couple of years. But the FBI has now issued a warning telling consumers: "Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use."
The FBI did not cite any instances of this tactic being deployed in campaigns, but creating fake QR codes is not new. Research by NCC Group found that New York state residents could bypass the COVID-19 credential validation process by fraudulently creating a QR code and getting a fake COVID-19 credential (see: New York Vaccine Passport App Stored Forged Credentials).
The FBI says QR code technology is important, and not all QR codes are malicious in nature. But "it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code," the FBI says, as law enforcement agencies "cannot guarantee the recovery of lost funds after transfer."
Rachel Jones, CEO of SnapDragon Monitoring, tells Information Security Media Group that this is yet another example of how fraudsters are hijacking events surrounding the pandemic to make money. She says, "When it comes to protecting against these scams, venues that are using QR codes for track and trace need to keep a beady eye on them being replaced by fraudsters. If any are found, report them to the police immediately."
For consumers, Jones says, "It is far safer to download the mobile application of the establishment you are visiting and check into the venue there. Also be aware that QR codes for self-check-in should never require financial information. All they require is your name and contact details."
Detecting fake websites is a major challenge to the untrained eye, so many consumers will be tricked by these scams, Jones says. "If you are ever directed to a site that seems suspicious, never hand over any personal or financial information. Instead, use free website authentication tool to verify if it is genuine or fake. These tools reduce the chance of people handing over confidential information to fake websites, making it harder for scammers while improving security for consumers."
The FBI has published its own set of guidelines and protection tips for consumers to spot malicious and fake QR codes and take remediation action, including:
- Check the URL that you are being directed to after scanning the QR code. Look out for malicious domain names that may be similar to the intended URL - but with typos or a misplaced letter - and authentic-looking phishing sites.
- Practice caution while entering login, persona, or financial information to a website that has been navigated via a QR code.
- Check physical QR codes for tampering. This can be done by ensuring that no sticker has been placed on top of the original code.
- Avoid downloading apps from a QR code. The FBI recommends using the phone's app store or play store for a safer download.
- Avoid making online payments via QR codes sent in emails stating payment failure for a recently made purchase. Calling the company for verification at a phone number published on a trusted site is highly recommended, the FBI says.
- Avoid downloading QR code scanner apps as it increases the risk of downloading malware onto the device. Instead, use a phone's built-in scanner through the camera app that most smartphones have.
- Before making payments using QR codes supposedly for someone you know, contact them through a trusted number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
In November 2021, the FBI issued a warning that highlighted the risks associated with the QR code. It alerted people that criminals were increasingly asking victims of various fraudulent schemes to use QR codes and cryptocurrency ATMs to complete their payment transactions.
These schemes identified by the FBI include online impersonation schemes, in which a scammer falsely identifies himself as a familiar entity such as the government, a law enforcement agency, a legal office or a utility company; romance schemes, in which a scammer establishes an online relationship with a victim by creating a false sense of intimacy and dependency; and lottery schemes, in which a scammer falsely convinces a victim that they have won an award and consequently demands that the victim pay lottery fees.