The FBI cautioned Americans this week that fraudsters steal their credentials and financial information by exploiting fraudulently engineered Quick Response (QR) codes. The warning was released as a public service announcement (PSA) on the Bureau’s Internet Crime Complaint Center (IC3).
“Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information,” the federal law enforcement agency stated.
According to the FBI, criminals are altering legal QR codes used by companies for payment reasons to route potential victims to malicious websites that steal personal and financial information, implant malware on their devices, or redirect their transactions to accounts under their control.
After scanning what appear to be authentic codes, the victims are sent to the attackers’ phishing sites, where they are encouraged to share their login and financial information. Once entered, it is given to hackers, who can use it to steal money from hacked bank accounts.
“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI added. “Law enforcement cannot guarantee the recovery of lost funds after transfer.”
The FBI recommended Americans to pay attention to the URLs they’re provided after scanning QR codes, to be cautious when inputting data after scanning a QR code, and to double-check that actual QR codes haven’t been replaced with dangerous ones. You should also resist using QR codes to install apps or QR code scanners (instead, use the one that comes with your phone’s operating system). Lastly, instead of scanning a QR code that might be set up to send you to dangerous sites, always type in URLs by hand when making payments.
In November, the FBI released another public service announcement on QR code hazards, warning that victims of different fraud schemes are increasingly being urged to use QR codes and cryptocurrency ATMs to thwart attempts to recoup their financial losses.
Threat actors exploit QR codes instead of buttons in spam emails to make their assaults more challenging to detect by security software and successfully redirect victims to phishing sites, as proven by a recent phishing campaign targeting German e-banking customers. Victims who were successfully led to the phishing landing sites were prompted to input their bank account numbers, codes, user names, and PINs.