June 29, 2023
QR codes aren’t new. First introduced nearly three decades ago by Japanese automakers to track parts and inventory, the digitally scannable 2D barcodes are used for everything from mobile finance and website access to restaurant menus and parking meter payments. But it wasn’t until recently, due largely to their proliferation during the Covid-19 pandemic, that criminals began using them to steal money and personal information.
If it’s easy for you to use, goes the thinking, it’s easy for criminals to abuse.
“Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it,” Angel Grant, vice president of security for Seattle-based F5 and a certified information-systems security professional, told AARP magazine. “So we’ve seen criminals targeting QR codes pretty much from when they were originally put out.”
QR Fraud Rising
As QR fraud rises more rapidly than ever (experts say it’s “rampant”), the FBI and other security insiders are urging people to be extra-cautious. Just because something looks like a legitimate QR code doesn’t mean it is one, so think twice (or thrice) about whipping out your phone to scan it. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” the FBI warned. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”
Recent QR crimes, according to Infosecurity Magazine, involve bogus parking meter payments, bank phishing, cryptocurrency wallets and romance scams, as well as utility and government imposters. So pretty much the whole nefarious gamut. Malicious codes can lead to malware infections and identity theft, among other negative outcomes — like this one, out of San Francisco, where scammers distributed fake parking tickets with QR codes that directed payments to them instead of the city. (Something similar happened in Austin, Texas.)
Reporting by local SF media, including TV station KRON4, concluded the following: “The QR on the fake parking citation takes you to a homepage that looks eerily similar to SFMTA’s. KRON4 determined the only link that works on the homepage is the “pay a parking ticket” page. It’ll then ask you for a ticket citation number. Whatever number you enter, the citation number will be #14010040 — like it says on the printed ticket above. It will take you to a Square link that will ask for $60.”
As in cybersecurity breaches, a couple of the most popular techniques among QR scammers are so-called “quishing” (QR-centric phishing) and social engineering, the latter of which involves manipulating human psychology to gain access and wreak havoc. In the Netherlands a few years back, for instance, criminals asked passersby to pay for their parking via (fake) QR code in exchange for cash. Later, when the unsuspecting mark checked her/his balance, there was none — the account had been drained.
But QR scams aren’t always so deft or subtle. “A legit QR code is never going to take you to a page that tries to scare you into inputting your personal information,” Eric Florence, a cybersecurity analyst with SecurityTech, told Reader’s Digest.
“If there are any fear tactics or time constraints, it’s a scam.”
Mindsight’s IT director Matt Cox recently posted about some effective ways for companies to thwart QR scammers:
- Make sure you are regularly training your users on phishing defense. Make them aware of these kinds of attacks.
- Make sure you are using MFA on all externally facing applications to reduce the risk of attackers being able to use stolen credentials.
- Make sure you are able to detect the use of stolen credentials, watching for sign in from IP addresses you don’t recognize or access outside of business hours.
And here are some additional safeguards for individuals courtesy of the FBI:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Finally, here’s the Better Business Bureau’s take.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About the Expert
Matt Cox is the Director of Internal Systems and Security at Mindsight, and has over 20 years of experience in Telecommunications, Information Technology and Network Management. In his role at Mindsight, Matt has the uncanny ability to communicate complex technical ideas to a broad audience. He is passionate about information security and using technology to improve business outcomes and is currently pursuing CISSP certification. When he’s not focused on the hyper-technical, Matt enjoys boating, fishing, and lock picking.