The US Federal Trade Commission (FTC) has warned Americans about QR code scams infiltrating restaurants, airports, sporting events and retail stores.
QR, which stands for ‘quick response,’ are machine-readable codes of black and white squares that store URLs, payment options and other online services accessed by a smartphone camera.
They rose in popularity during the Covid pandemic at stores and restaurants for contactless exchanges of money and services, but the codes have become a mainstay.
However, thieves are designing fake codes that redirect users to fraudulent websites, allowing them to harvest data, take control of smartphones or steal money.
The US Federal Trade Commission (FTC) has warned Americans about QR code scams infiltrating restaurants, airports, sporting events and retail stores
Cybersecurity experts have been monitoring the scam, finding over 60,000 samples of QR code attacks in the third quarter of 2023.
‘A scammer’s QR code could take you to a spoofed site that looks real but isn’t,’ the FTC shared in the announcement.
‘And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.
Officials warned that the scams are being carried out in physical locations by overlaying the fake code on top of an authentic one and via text and emails.
‘Don’t scan a QR code in an email or text message you weren’t expecting — especially if it urges you to act immediately,’ the FTC noted.
‘If you think the message is legitimate, use a phone number or website you know is real to contact the company.’
The announcement also urged the public to be wary of QR codes in unexpected locations, noting that they pay attention to misspellings or switched letters in URLs.
Thieves are designing fake codes that redirect users to fraudulent websites, allowing them to harvest data, take control of smartphones or steal money
John Fokker, head of threat intelligence at Trellix, a cybersecurity company, told The New York Times: ‘The pandemic led to a resurgence of QR codes in our daily lives — everywhere from restaurant menus to use in doctors’ offices — making QR codes an attractive vector for cybercriminals to use to target individuals and organizations around the world.’
Fokker said that people should use two-factor authentication, which uses apps or telephone numbers to help verify a person’s identity online, and ‘keep software updated to ensure devices have the latest security measures in place.’
The Federal Bureau of Investigation (FBI) issued a similar warning in May and previously in January 2022.
A report from Marcum, a New York-based accounting and advisory service, shows that QR code scams are among the top five cybersecurity threats observed in April.
The group highlights scammers are using fake codes to carry out phishing scams in emails and social media messages.
‘Scammers might also approach you through an online marketplace claiming they are trying to purchase goods that you are selling and ask you to scan a QR code,’ according to Marcum.
‘Avoid making payments from a website accessed via a QR code. To make the payment, manually input a recognized and trustworthy website.’
Another area seeing fake QR codes is in the cryptocurrency industry.
‘Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks,’ according to a press release from the FBI.
‘If you happen to scan a scammer’s bad code, you could end up giving him access to your device.
‘He can access your contacts, download malware, or send you to a fake payment portal.
‘Once there, you can inadvertently give him access to your banking and credit card accounts. If you make a payment through a bad QR code, it’s difficult if not impossible, to get those funds back.’
