QR codes can hide deceptive links from identity thieves, FTC warns
QR codes, the square bar codes that can be scanned and read by smartphones, are seemingly used everywhere: to board flights, enter concerts and look at restaurant menus.
But scammers trying to steal personal information have also been using QR codes to direct people to harmful websites that can harvest their data, Alvaro Puig, a consumer education specialist at the Federal Trade Commission, wrote in a blog post Wednesday on the agency's consumer advice page.
Would-be scammers hide dangerous links in the black-and-white jumble of some QR codes, the FTC warned.
The people behind those schemes direct users to the harmful QR codes in deceptive ways, using tactics that include placing their own QR codes on top of legitimate codes on parking meters or sending the patterns to be scanned by text or email in ways that make them appear legitimate, the post said.
Once people have clicked those links, the scammer can steal information that is entered on the website. The QR code can also be used to install malware that steals the person's personal information, the FTC said.
The deceptive codes sent by text or email often use lies to create a sense of urgency, such as saying that a package couldn't be delivered and it needs to be rescheduled or posing as a company and saying that there is suspicious information on a person's account and that the user's password needs to be changed, the FTC said.
“They want you to scan the QR code and open the URL without thinking about it,” the FTC said.
John Fokker, head of threat intelligence at Trellix, a cybersecurity company, said in an email Sunday that the company's advanced research center saw more than 60,000 samples of QR code attacks in the third quarter of 2023.
The most common type included postal scams, malicious file sharing and messages impersonating human resources, information technology and payroll departments, he said.
“The pandemic led to a resurgence of QR codes in our daily lives — everywhere from restaurant menus to use in doctors' offices — making QR codes an attractive vector for cybercriminals to use to target individuals and organizations around the world,” Fokker said.
Fokker said mobile users are “particularly vulnerable” to these attacks because “more often than not, QR codes are scanned using mobile devices which may not have the same level of security and protection as desktop computers.”
There are many steps that organizations and people can take to protect themselves, Fokker said. He advised to never open links, follow QR codes or download documents from unknown contacts.
He said people should also use two-factor authentication, which uses apps or telephone numbers to help verify a person's identity online, and “keep software updated to ensure devices have the latest security measures in place.”
The FTC issued similar guidance and said that after scanning a QR code, but before opening the link, consumers should check the URL to see if it is a web address that they recognize. If the URL looks legitimate, users should check for misspellings or a switched letter in the address.
“Don't scan a QR code in an email or text message you weren't expecting — especially if it urges you to act immediately,” the FTC cautioned. “If you think the message is legitimate, use a phone number or website you know is real to contact the company.”
In January 2022, the FBI issued an alert to consumers about malicious QR codes. It warned people not to download apps linked from QR codes, but to find the app on their smartphone's app store and download it from there instead.