The FBI is warning that cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.
Quick response, or QR, codes have taken off since the start of the pandemic, giving governments and businesses a fast, contactless way to pass information to consumers. Their popularity and ease of use have prompted the FBI to warn end users that cybercriminals can tamper with the codes to redirect them to malicious sites.
In an alert, the bureau gave a brief overview of the methods cybercriminals are using. In most cases, the falsified QR code will redirect the user to a malicious website or domain, where the unassuming consumer will input sensitive personal or financial information.
The FBI urged users to double-check and verify the validity of a QR code before navigating to a destination site and to practice caution before entering any personal information. Moreover, the agency recommends against downloading a QR code scanner app, as that increases the risk of introducing malware on personal devices. Most phones already include a QR reader through the camera app.
The announcement comes as governments are deploying QR codes to expedite and simplify communication with citizens. Electronic registrations and check-ins, which were once done on paper, are now carried out in milliseconds with the use of a unique code.
With H5 QR codes, which create custom landing pages without the need for a unique domain or hosting site, local governments have shared important information with constituents. Many states, like Delaware and Massachusetts are using a QR tool to give their residents quick access to their vaccination records.
While QR codes have improved government efficiency, they have also left many agencies that use them exposed to cyber criminals.
Most recently, Austin, Houston and San Antonio were hit with a string of attacks targeting public parking meters. Scammers diverted parking fees by tricking consumers into paying for parking by using fraudulent QR code stickers pasted on the meters.
“Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use – Do not scan a randomly found QR code,” the FBI said.