One of the most curious ads during last month’s Super Bowl did not feature Clydesdales selling beer, Alexa reading people’s minds, or woodland animals flipping out over Flamin’ Hot Cheetos. It was just a simple colorful QR code bouncing around the screen for 30 seconds. If you were one of the millions of people to get off the couch and scan the code with your phone, you would have been taken to a promotional page for Coinbase, a cryptocurrency exchange. It was an odd choice for the company given that just two weeks prior the FBI had issued a Public Service Announcement to raise awareness of cybercriminals using malicious QR codes to steal personal and financial information.
QR (quick response) codes were first invented in Japan in the 1990s to aid in manufacturing and have since become ubiquitous. They are square barcodes that can be scanned by smartphones to provide access to a website. A quick and easy way to convey information, they are now used for boarding passes, consumer product information, coupons, sporting and event tickets, and more. QR codes became especially popular during the COVID-19 pandemic as a way for restaurants to conveniently share their menus with customers in a contact-free manner. Because consumers are used to using them but do not necessarily understand them, they have become a new breeding ground for cybercriminals and hackers.
Earlier this year, both the Texas cities of San Antonio and Austin were targets of QR code sticker scams. Fake QR code stickers were placed on parking pay stations around the cities. The codes were found to lead to fraudulent websites. When people attempted to pay for their parking spaces through these websites, they actually were submitting their payment to a fraudulent vendor. This is precisely what the FBI warned about in its PSA: “Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.”
The PSA warned of an even more insidious danger. “Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.”
The trick with a bogus QR code is that it can be harder to spot than another type of phishing attack. A traditional phishing attack will be set up to look like a legitimate website or email. “It’s much the same with a QR code,” warns McAfee, a popular computer security company, on its blog about QR code scams, “yet here’s are [sic] a couple of big differences:
- The QR code itself. There’s really no way to look at a QR code and determine if it’s legitimate or not, such as by spotting clever misspellings, typos, or adaptations of a legitimate URL.
- Secondly, QR codes can access other functions and apps on your smartphone. Scammers can use them to open payment apps, add contacts, write a text, or make a phone call when you scan a bogus QR code.”
How to protect yourself
Cybercriminals may prefer QR codes because they are often missed by security software, but there are several steps that you can take to protect yourself.
- Only scan a QR code from a trusted source (such as a restaurant menu).
- There is no need to scan a QR code within the body of an email; a simple link should be included in an email.
- Avoid making payments using a site reached through a QR code.
- Always verify a QR code received from an unknown source before clicking on it.
Find the complete list of tips from the FBI and information on how to report fraudulent activity here.