The Federal Bureau of Investigation (FBI) in the US has released a public service announcement (PSA) warning that “cybercriminals are tampering with QR codes” in order to steal data and funds and is advising consumers to “practice caution” when using them.
The PSA states that businesses have used QR codes “more frequently during the Covid-19 pandemic” to enable contactless access and payments, and that cybercriminals “are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use”.
“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” the PSA explains.
“A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.
“Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.”
The FBI announcement also advises that, “while QR codes are not malicious in nature”, consumers can protect themselves by checking that a QR code takes them to an authentic site with a correctly spelt URL, ensuring that a physical QR code has not been tampered with “such as with a sticker placed on top of the original code”, avoiding “making payments through a site navigated to from a QR code” and “practice caution when entering login, personal, or financial information” to QR code-accessed sites.
It also recommends against downloading an app from a QR code or a QR code scanner app as “this increases your risk of downloading malware onto your device”.