FBI, cybersecurity experts warn about QR code privacy and security concerns
"They could install malware in our devices or add contacts to our contact lists. They could send emails."
"They could install malware in our devices or add contacts to our contact lists. They could send emails."
"They could install malware in our devices or add contacts to our contact lists. They could send emails."
QR codes seem to be everywhere. They're used for marketing and advertisements, tracking shipping labels and, since the start of the pandemic, to access menus at restaurants.
"The QR code is a 'quick response' code which is similar usually to the bar codes we see on products," Wake Forest University computer science assistant professor Sarra Alqahtani told us.
The difference is, QR codes can contain much more data than a bar code. Because human eyes cannot distinguish the difference between individual QR codes, some cybercriminals have been using malicious codes to steal users' personal data and even financial information.
"Some users you could just scan the code and it will ask you to open your banking app and ask you to enter your username and password," Alqahtani said. "But in reality, it’s a fake app. It’s not your real app so they are going to steal your information and credentials.”
The FBI issued a warning in January about cybercriminals installing malicious links over legitimate QR codes like on menus. Hackers simply make their own QR code and delicately place it on top of legitimate codes, with most users unable to spot any maleficence.
And Alqahtani says it doesn’t take a computer science degree to pull off this scam.
"It’s very easy," she said. "If you Google 'QR code' and just click the first link ‘how to build,' it’s going to ask 'what is the information you want to put in your QR code' and that’s it.”
She says some hackers may prey on our curiosity and post plain codes without any accompanying description in public, hoping we will scan them to find out more.
No matter how they find their way to our phones, the sites the hackers' codes open may look authentic. Sometimes you may not even realize you’ve opened a malicious link.
For instance, the attacker may still take you to a restaurant's menu, all the while tracking and stealing your data in the background for weeks to come.
"They could install malware in our devices, add contacts to our contact lists. They could send emails," Alqahtani said.
In their January warning, the FBI provided tips on how to avoid becoming a victim in a QR code cyberattack:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone's app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
"Scan with the built in camera in your phone because the camera will show you the link," Alqahtani adds. "Third party applications usually just open the browser for you. If the code asks you to open an application in your device, do not do that. They are not supposed to do that.”
But both the FBI and Alqahtani said if you’re given the choice, you should avoid scanning the QR code altogether and type in the web address yourself.