This week, the FBI issued a public service announcement about cybercriminals tampering with QR codes for purposes of theft. How can you protect yourself and your clients, even if you don't use QR codes in your own business?
The Basics of QR Codes and the Opportunity for Criminals
QR codes are square barcodes that may be scanned and read with a smartphone camera to enable quick access to a website, trigger the download of an app, or direct money to a specific recipient. Businesses have been using QR codes more commonly since the beginning of the pandemic (think of all of the restaurant menus you have scanned). And, now that QR codes are being used more frequently, cybercriminals have seen this as an opportunity to route QR code scans to malicious sites in order to steal victim data, embed malware in order to get access to the victim's device, and redirect payment for cybercriminal purposes.
What Are Cybercriminals Doing with QR Codes?
Cybercriminals are hacking into the code behind the QR code, in both digital and physical QR codes, and replacing valid codes with harmful codes. Then, when a victim scans what appears to be a legitimate code, the altered code leads them to a malicious website.
These criminals are doing multiple things with their malicious websites.
1. The victim may be directed to a page that asks for log-in and other identifying information that may give the cybercriminal access to financial accounts.
2. Malicious QR codes may also contain embedded malware, allowing a criminal to obtain access to the victim's mobile device. Once the cybercriminal has this information, they can steal personal and financial information as well as the victim's location, enabling them to steal money from the victim's account.
3. QR codes are sometimes used by businesses and individuals to make payments easier. Customers are given a QR code that directs them to a website where they may conduct a financial transaction. In this case, the cybercriminal can substitute a modified QR code for the intended code and reroute the sender's cash for cybercriminal use.
Tips to Protect Yourself (and Your Clients) From Malicious QR Codes
Please share the following tips with your clients.
- When entering login, personal, or financial information on a site accessed using a QR code, be cautious extremely cautious.
- Check the URL after scanning a QR code to ensure it is the intended site and appears to be genuine. A malicious domain name may closely resemble the desired URL but will contain errors or a misspelled letter.
- If you're scanning a physical QR code, make sure it hasn't been tampered with, for as by putting a sticker on top of the original code.
- Do not use QR codes to download apps. It is much safer to go to your phone's app store.
- If you receive an email from a firm claiming that a payment failed and the company indicates that you can only complete the payment using a QR code, phone the company to verify. Also, instead of using the phone number supplied in the email, look up the company's phone number on a reputable website.
- Downloading a QR code scanner app is not a good idea. This raises the likelihood of malware being downloaded onto your device. The camera app on most phones has a built-in scanner.
- If you receive a QR code that you think belongs to someone you know, contact them using a known phone number or address to confirm that the code belongs to them.
Do you have questions about this article? Email us and let us know > info@woodard.com
Comments: