Scammers are taking hold of the opportunity to steal cash and financial credentials as businesses turn to QR codes for contactless payments during the Covid endemic.

To access online resources, QR codes are a useful shortcut. But now hackers are using QR codes to redirect victims to cryptocurrency scams and phishing pages.

Since the 1990s, QR or ‘Quick Response’ codes have been in use. However, during the pandemic more businesses made use of them to initiate contactless communication. For instance, to make payment via QR codes, check-ins, ordering off a menu, parking metres and others public spaces.

As a result, scammers are now taking advantage of the QR codes and targeting them for their criminal purposes. According to the FBI, they tamper with the pixelated barcodes and redirect victims to sites that steal logins and potentially their financial information.

Businesses have used QR codes more frequently during the pandemic and used them legitimately to ensure patrons have a contactless way to interact that is safe. However, scammers are tampering with these QR and taking advantage of the situation and technology. ” The FBI notes in its alert that by redirecting QR codes it’s possible for scammers to steal the victims data, implanting malware to obtain access to the victim’s device, and redirecting payment for cybercriminal use.

However the FBI doesn’t list any examples of QR scams, but they have been following the use of QR codes in phishing emails to steal Microsoft 365 credentials in October. Because the barcode images bypassed email filters that use URL scanners to block malicious links, the QR codes were very useful to attackers. It made it easier to get the result they wanted.

In October the FBI advised that they started to receive reports about malicious QR codes. To clarify, these were in regard to the Crypto transactions that are often made through QR codes associated with crypto accounts. In other words, cryptocurrency scams.

The FBI warns, “do not scan a randomly found QR code.”

Parking metres in major Texan cities are where fraudulent QR code stickers were placed reports Ars Technica. Scammers tricked people into paying to their fraudulent website. Likewise, legitimate third-party parking payment apps with QR codes are common in these areas that have parking meter terminals today. So, there was a social engineering element to this scam.

Meanwhile, this type of scam is on alert from the FBI’s, too: For example, a QR code is provided by a business that directs them to make a payment. But the cybercriminal replaces the legitimate QR code with a code that sends the payment to the criminals account instead.

In addition, criminals can load malware on to their fraudulent QR codes to steal financial information. Therefore, the criminals can now withdraw funds from their victim’s account.

Certainly, we can see similarities between malicious QR codes and email phishing stuck on public spaces. So how can people distinguish between the legitimate and fraudulent ones? Especially since training employees in cyber-awareness recommends never to click on unsolicited email, but sometimes they still do.     

The overall message from the FBI is to exercise caution when entering information from a website accessed via a QR code.

It warns, “law enforcement cannot guarantee the recovery of lost funds after transfer.”

If you’re using a smartphone the FBI has some tips:

  • Double check the URL after scanning a QR code as the URL may look similar to the legitimate site
  • be careful when entering credentials or financial information on a site visited via a QR code
  • avoid downloading an app from a QR code and instead use an official app store
  • and call the organization if it sent a bill in email, allowing payment through a QR code to verify its authenticity.

Note to that phishing attempts against smartphones are also on the rise.

There’s no need to download a QR code scanner as they come built into your camera on the phone, whether it an iPhone or Android. The iPhone got one in 2011 in iOS 11

The FBI also warns against making payments through a site navigated to from a QR code. To complete the payment, you can manually enter a known and trusted URL.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?