Quick Response (QR) codes have become a standard method of conducting contactless transactions during the COVID-19 pandemic. However, cyber criminals are exploiting the lax security that often exists at businesses like restaurants and event ticket sales, which rely on quick website access.
The FBI has warned that it’s easy to tamper with QR codes so they redirect victims to fake websites controlled by hackers.
QR codes are the square, scannable images that have become standard features on restaurant menus. Customers can scan a QR code with a smartphone camera that has a built-in QR translator, which then directs the phone to the website for that product. In the case of a QR scam, victims scan a fake code they believe to be legitimate. The code then directs them to a malicious site, which usually prompts them to enter personal information such as account logins. This site then stores the information, allowing cyber criminals to access those accounts at a later time. Criminals conducting this scam may alter a legitimate QR code or simply place their own code over an existing one.
Ivanti conducted an international survey during April 2021 in which 57 percent of respondents reported that their usage of QR codes increased after the onset of the pandemic in March 2020. Eighty-seven percent of the respondents in that survey also stated they felt secure in conducting financial transactions with QR codes, indicating the lucrative potential for this type of scam. Current trends in cybercrimes indicate this confidence is misplaced due to the increase in QR scams reported by the Better Business Bureau (BBB) in the summer of 2021. One of the more elaborate of these early scams involved instructing victims to send Bitcoin from ATMs with malicious QR codes placed on them.
A continuing increase in QR abuse is inevitable, given that every technological advance simplifying the interaction between customers and businesses provides criminals with a vulnerability they can exploit. This problem is particularly prevalent in the food service industry, which now has a strong incentive to avoid passing paper menus to customers. The fact that many people have ready access to contactless menus allows ample opportunity to place a sticker with a malicious QR code over a legitimate one.
The FBI has provided the following tips to minimize the risk of using QR codes.
- Check the QR code before scanning it to ensure it hasn’t been altered and isn’t on a sticker that’s been placed over the original code.
- Download QR codes directly from an application store rather than an app, which has fewer security protections.
- Don’t use a QR code that you receive via email unless it’s from someone you know. Contact the sender directly to verify they sent it to you.
- Examine the URL that a QR code sends you to before taking any other action on that website. Ensure the domain name is spelled correctly, as scammers often use a URL that’s virtually identical to the legitimate one.
- Avoid making payments to a site that you accessed via a QR as much as possible.
QR codes aren’t inherently malicious, but they do lend themselves to exploitation by criminals. A QR code’s physical image often provides clues that indicate it isn’t legitimate. The URL that a QR code uses can also tell you when it’s a scam.