On 18 Jan, 2022, the FBI released a public service announcement, alert number 1-011822-PSA, warning the public that cybercriminals are tampering with Quick Response (QR) codes. The altered QR codes redirect victims to malicious sites to steal login and financial information.
QR codes have been adopted by many businesses during the COVID-19 pandemic to provide contactless access to their websites, applications, and payment methods. Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites. These malicious sites prompt the victim to provide credentials and financial information which are then utilized by the cybercriminals to access the victim’s accounts and steal funds. This method can also be implemented when a business uses QR codes to facilitate payments.
These cybercriminals are embedding malware in QR codes. The malware allows malicious actors to gain access to the victim’s mobile device and compromise the victim’s location, personal, and financial information. This information can be leveraged by the cybercriminal to withdraw funds from the victim’s accounts.
The FBI warns people to use caution when providing credentials and financial information to a site accessed by QR codes. Recovery of lost funds cannot be guaranteed. The FBI has provided the following tips to protect yourself.
Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.
Read original article