Avid readers of the Malwarebytes Labs blog will be well aware of QR code scams.

Take, for example, that QR code scam in the Netherlands that victimized at least a dozen (and definitely more) car owners. It went like this: Someone approaches you and says they want to pay for their parking but can’t find payment terminals that accept cash. They then ask you to kindly pay on their behalf—say, $5 USD—by scanning a QR code with their bank’s app after they hand you the money. Sadly, that ends up with you parting with a lot more than $5.

And then last week, the Austin Police Department in Texas released a scam alert on Twitter about “pay-to-park” scams involving a QR code that directs users to a phish.

Now, the FBI has released a public service announcement (PSA) about criminals using malicious QR codes.

Be extra vigilant when faced with a QR code

QR codes provide contactless access to a product or service, and they’ve proven useful and very convenient especially with the pandemic still ongoing. The problem is that there’s no way of distinguishing between a genuine code and a malicious one. Cybercriminals know this too and have capitalized on it.

“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” notes the FBI alert. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

QR codes can also be embedded with malware. Once scanned, the malware can be dropped onto the device and executed. Depending on the malware, criminals could steal personal and financial information (if you bank using your smartphone) from you, make your device part of a botnet, or spy on you.

Criminals can also replace legitimate QR codes in establishments to mislead users and direct them to a potentially malicious site. In certain cases where a contactless way of paying is available but does not use QR codes, it would be easy for criminals to just add their QR code sticker and make users believe that they should scan it.

This is exactly what happened in the fraudulent “pay-to-park” scheme.

Anyone looking at this parking meter in Austin, Texas has their attention directed to a QR code sticker at the bottom right of the “Pay by App Parking” service ad, which encourages car owners to download an app to easily pay for parking. This QR code makes it look like users are supposed to scan it in order to download the app. (Source: KPRC Click2Houston)

How to protect yourself from QR code scams

The FBI has recommended the following steps that users should keep in mind:

  • Check the URL to ensure you’re being directed to a site where you’re supposed to be directed once you scan a QR code. Watch out for misspellings in the URL.
  • When you see a QR code in a shop and want to scan it, make sure you check for signs of tampering, such as a sticker over the QR code itself.
  • Use the built-in scanner through your smartphone’s camera to scan for QR codes. There is no need to download another one from the app store as there are fake QR code scanners, too.
  • If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify if they have indeed sent you the code.
  • If you can, avoid making payments via a QR code. There are better and more secure ways of paying.

Stay safe!