The Federal Trade Commission has issued a warning to consumers about QR codes and how they are being used to potentially scam individuals and steal their personal and financial information.
Why This Matters: Companies in the accounts receivable management industry have been using QR codes more in letters to consumers as a means of making it easier for consumers to access payment and self-service portals. In some cases, the QR code just points the consumer to the website hosting the portal and the consumer still has to log in with credentials; in other cases, the QR code directly logs consumers into the portal, bypassing the need for them to enter a user name or password.
What to Watch: The FTC noted that the fake QR codes were being included in text messages and emails, which install malware on consumers’ devices when accessed.
- In a lot of cases, because the malware is embedded in a QR code image, it is not detected by anti-phishing and security software scans.
- There were more than 60,000 QR code attacks in the third quarter of 2023, according to a published report.
How to Spot a Scam: The more urgent that a request is, the more likely that it’s a scam, the FTC noted. If a message or notification urges you to act immediately, then consider it a potential scam and act accordingly.
- Consumers are also advised to keep their smartphone’s operating system as up-to-date as possible, and to use strong passwords and deploy multi-factor authentication wherever possible.
- Other steps to take include:
- After scanning a QR code, ensure that it leads to the official URL of the site or service that provided the code. As is the case with traditional phishing scams, malicious domain names may be almost identical to the intended one, except for a single misplaced letter.
- Enter login credentials, payment card information, or other sensitive data only after ensuring that the site opened by the QR code passes a close inspection using the criteria above.
- Before scanning a QR code presented on a menu, parking garage, vendor, or charity, ensure that it hasn’t been tampered with. Carefully look for stickers placed on top of the original code.
- Be highly suspicious of any QR codes embedded into the body of an email. There are rarely legitimate reasons for benign emails from legitimate sites or services to use a QR code instead of a link.
- Don’t install stand-alone QR code scanners on a phone without good reason and then only after first carefully scrutinizing the developer. Phones already have a built-in scanner available through the camera app that will be more trustworthy.