This week, the FBI issued a public service announcement about cybercriminals tampering with QR codes for purposes of theft. How can you protect yourself and your clients, even if you don't use QR codes in your own business?
QR codes are square barcodes that may be scanned and read with a smartphone camera to enable quick access to a website, trigger the download of an app, or direct money to a specific recipient. Businesses have been using QR codes more commonly since the beginning of the pandemic (think of all of the restaurant menus you have scanned). And, now that QR codes are being used more frequently, cybercriminals have seen this as an opportunity to route QR code scans to malicious sites in order to steal victim data, embed malware in order to get access to the victim's device, and redirect payment for cybercriminal purposes.
Cybercriminals are hacking into the code behind the QR code, in both digital and physical QR codes, and replacing valid codes with harmful codes. Then, when a victim scans what appears to be a legitimate code, the altered code leads them to a malicious website.
These criminals are doing multiple things with their malicious websites.
1. The victim may be directed to a page that asks for log-in and other identifying information that may give the cybercriminal access to financial accounts.
2. Malicious QR codes may also contain embedded malware, allowing a criminal to obtain access to the victim's mobile device. Once the cybercriminal has this information, they can steal personal and financial information as well as the victim's location, enabling them to steal money from the victim's account.
3. QR codes are sometimes used by businesses and individuals to make payments easier. Customers are given a QR code that directs them to a website where they may conduct a financial transaction. In this case, the cybercriminal can substitute a modified QR code for the intended code and reroute the sender's cash for cybercriminal use.
Please share the following tips with your clients.
You can view the FBI Public Service Announcement here.