The FBI alerted Americans this week that fraudsters are stealing their accounts and financial information by using deliberately engineered Quick Response (QR) codes. The alert was released earlier this week as a public service announcement (PSA) on the Bureau’s Internet Crime Complaint Center (IC3). “Cybercriminals are manipulating with QR codes to lure victims to fraudulent websites that steal login and financial information,” according to the federal law enforcement agency.

According to the FBI, criminals are altering legal QR codes used by companies for payment purposes to route potential targets to fraudulent websites that acquire personal and financial information, implant malware on their devices, or redirect their purchases to accounts under their control.

After scanning what appear to be authentic codes, the victims are directed to the hackers’ phishing websites, where they are required to input their login and financial information. Once completed, it is given to hackers, who can use it to steal money from bank accounts that have been hacked. “Although QR codes are not dangerous in nature,” the FBI stated, “it is critical to tread cautiously when inputting financial information or making a payment through a webpage accessed using a QR code.” “After a transaction, law enforcement cannot promise the recovery of lost funds.”

Practical countermeasure advice

• The FBI recommended Americans to pay close attention to the URLs they’re redirected to after scanning QR codes, to be careful when entering sensitive data, and to double-check that actual QR codes haven’t been replaced with dangerous ones.
• Avoid using QR codes to download apps or QR code scanners, rather, use the one that comes with your phone’s OS.
• Finally, instead of scanning a QR code that may be established to route you to dangerous websites, always type in URLs by hand when making payments.

In November, the FBI released another public service announcement about QR code threats, warning that victims of numerous fraud schemes are progressively being urged to use QR codes and crypto ATMs to thwart attempts to recoup their financial losses.

Malicious actors utilize QR codes rather than buttons in spam emails to render their strikes tougher to identify by security software and successfully reroute victims to phishing websites, as proven by a recent phishing campaign targeting German e-banking users. Targets who were effectively led to the phishing pages were prompted to enter their bank account numbers, codes, user names, and PINs.