QR codes, the square barcodes that can be scanned and read with smartphones, are seemingly used everywhere: boarding flights, entering concerts, and looking at restaurant menus.
But scammers trying to steal personal information have also been using QR codes to direct people to harmful websites that can collect their data, wrote Alvaro Puig, a consumer education specialist at the Federal Trade Commission. in a blog post Wednesday on the agency’s consumer advice page.
Potential scammers are hiding dangerous links in the black-and-white mix of some QR codes, the FTC warned.
The people behind such schemes direct users to harmful QR codes in deceptive ways, using tactics that include placing their own QR codes on top of legitimate codes on parking meters or sending patterns to be scanned via text message or email. way to make them appear. legitimate, the post said.
Once people have clicked on those links, the scammer can steal the information entered into the website. The QR code can also be used to install malware that steals a person’s personal information, the FTC said.
Scam codes sent by text or email often use lies to create a sense of urgency, such as saying a package could not be delivered and needs to be rescheduled or posing as a company and saying there is suspicious information at the address. of a person. account and that the user’s password needs to be changed, the FTC said.
“They want you to scan the QR code and open the URL without thinking about it,” the FTC said.
John Fokker, head of threat intelligence at Trellix, a cybersecurity company, said in an email on Sunday that the company’s advanced research center More than 60,000 QR code attack samples were detected in the third quarter of 2023.
The most common type included mail scams, malicious file sharing and messages impersonating human resources, information technology and payroll departments, he said.
“The pandemic caused a resurgence of QR codes in our daily lives, from restaurant menus to their use in doctors’ offices, making QR codes an attractive vector for cybercriminals to use to attack people and organizations around the world,” said Mr. Fokker. .
Fokker said mobile users are “particularly vulnerable” to these attacks because “most of the time, QR codes are scanned using mobile devices that may not have the same level of security and protection as desktop computers.”
There are many steps organizations and individuals can take to protect themselves, Fokker said. He advised never opening links, following QR codes or downloading documents from unknown contacts.
He said people should also use two-factor authentication, which uses apps or phone numbers to help verify a person’s identity online, and “keep software up-to-date to ensure devices have the latest security measures in place.” “.
The FTC issued similar guidance, saying that after scanning a QR code but before opening the link, consumers should check the URL to see if it is a web address they recognize. If the URL appears legitimate, users should check for misspellings or a changed letter in the address. (Here’s how URL preview on an iPhone and using the Google Lens app.)
“Do not scan a QR code in an email or text message that you were not expecting, especially if it prompts you to act immediately,” the FTC warned. “If you believe the message is legitimate, use a phone number or website that you know is real to contact the company.”
In January 2022, the FBI issued an alert to consumers about malicious QR codes. He warned people not to download linked apps from QR codes, but rather to search for the app in their smartphone’s app store and download it from there.