Consumer technologies continue to become increasingly innovative. While they often make our lives better, these new technologies give cybercriminals new ways to threaten our privacy and steal our identities. As QR codes continue to grow in popularity, cybercriminals have begun to use them to conduct their malicious attacks.
Smartphones make QR code scanning easy. By simply pointing the phone’s camera at the QR code, consumers can access promotions, see restaurant menus, access digital tickets, and more. However, not all QR codes are legitimate.
The FBI has issued warnings about cybercriminals tampering with QR codes to steal users’ login and financial information. After scanning a QR code, victims can be directed to a website disguised as legitimate but that gathers identity information and inserts digital infections.
QR code fraud is rampant
Here are some noted uses where QR codes have been used fraudulently.
Parking meter payment. Fraudulent QR codes have often been placed on the back of parking meters, leading victims to assume that they can pay for parking through the QR code if they do not have exact change. After paying through the QR code, some victims return to find their vehicle has been towed or has received a parking ticket. Plus, their payment information is typically harvested for later use.
Bank phishing scams. Banks are increasingly using QR codes to promote their financial services. Bank branches will have a sign on their entry doors or on an easel placard with special promotions encouraging the use of additional services or new account signup. A cybercriminal can easily overlay the QR code with one that redirects to their malicious site.
Cryptocurrency wallets. The rise of cryptocurrencies has altered traditional thinking about investments, and the confusion surrounding these transactions makes it ripe for scammers to take their toll. The trading of cryptocurrencies such as bitcoin is conducted online, and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code.
Romance scams. In some instances, cybercriminals spend months building an online romantic relationship with their victim, which ultimately results in them offering financial advice or asking for financial assistance through a cryptocurrency exchange. The victim follows the provided QR code and transfers the requested money to the scammer’s digital wallet.
Utility and government impostors. Cybercriminals often disguise themselves as representatives from a utility company, the Social Security Administration, or the IRS regarding an outstanding debt. The scammer claims that failure to pay will result in arrest, additional fines, or shutting off access to electricity, gas, or water. The cybercriminal will tell the consumer that the payment portal for these services is currently offline, but they can submit payment through another portal that they can access by following a link or scanning a QR code.
How to avoid becoming a victim of QR code fraud
There are several actions you can take to reduce the risk of QR code fraud. The National Cybersecurity Center advocates good cyber-hygiene so that if a malicious QR code is scanned, there is at least a reduced chance of it creating harm. Relevant practices include:
- Once you scan a QR code, check the web address to make sure it is the intended site and looks authentic. Look for typos or even a single misplaced letter.
- Be cautious about entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code on a sign, window, or placard, ensure it has not been tampered with.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive a notice to complete a payment through a QR code, call the company to verify.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner in the camera.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
While public awareness around QR code fraud is growing, much more needs to be done to prevent cybercriminals from using the technology. If you believe you have been a victim of QR code fraud, contact the National Cybersecurity Center to find out what you can do to protect yourself.
Credits: Important source material for this paper was contributed by Brian Shuster, Chief Innovation Officer of ACTV8.me Inc., a technology firm focused on innovative uses of QR codes and their protection. Visit https://www.actv8me.com/ for more information. Or contact the author, Rick Crandall, at firstname.lastname@example.org.
Get in Touch with the National Cybersecurity Center
About the National Cybersecurity Center
The National Cybersecurity Center (NCC) is a 501(c)(3) non-profit for cyber security education, collaboration and leadership development grounded in a shared mission to advance pragmatic, forward-thinking security policies and programs. Serving public and private organizations, the NCC, in partnership with the University of Colorado Colorado Springs (UCCS) and as the operational home to the Space ISAC, delivers an integrated and fully-interdisciplinary cyber center that is actively transforming the nation’s ability to deter cyber threats.