Hackers use QR codes to steal your money

QR codes with their square barcodes regained popularity early in the pandemic because consumers found them easy to use and businesses didn’t have to worry about contact contamination.

Many businesses, especially restaurants, started using QR or Quick Response codes and replaced them with menus, as customers could scan them from their smartphones in seconds. Other industries have adopted QR codes for coupons, invoices, or to find out more about a topic or person. Coinbase ( (PIECE OF MONEY) ), the cryptocurrency exchange, even paid nearly $14 million for a 30-second Super Bowl ad in January that only featured a QR code.

As the demand for QR codes grew, cybercriminals also noticed the opportunity to steal a consumer’s personal or financial data and quickly earn a paycheck.

“Everything that consumers will use and trust will eventually be used by hackers,” said John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based IT operations and digital security firm. at TheStreet. “Criminals will use anything they can to steal money.”

Hackers tamper with QR codes because their use has become widespread and tampering with them is simple, Hank Schless, senior director of security solutions at Lookout, a San Francisco-based security service provider, told TheStreet. Some contain malicious links embedded in malware so that cyber criminals can easily get your data such as credit card information or social security number.

QR codes have made a resurgence since the pandemic, including event registration. They are just “another tactic that hackers use to circumvent traditional security services, much like smishing where fraudulent text messages are sent by what appears to be a real company or phishing in Microsoft Teams and Zoom” , Patrick Harr, CEO of SlashNext, a Pleasanton, California-based anti-phishing company, told TheStreet.

How to Scan QR Codes Safely

Consumers think scanning QR codes is harmless, but they’re actually “inherently untrustworthy,” Casey Ellis, CTO of Bugcrowd, a San Francisco-based cybersecurity firm, told TheStreet.

“COVID has brought them into use cases where they are highly reliable,” he said. “Once you get used to scanning a QR without thinking about it from a security perspective, it becomes quite an attractive payload delivery vehicle for attackers.”

Fraudsters are often one step ahead and sneaky in their strategies to trick unsuspecting people into scanning or clicking on a link. QR codes are used to log into accounts, exchange contact information, and perform money transfers or provide contactless payment options.

QR phishing attacks are on the rise because they require so little effort to succeed. For one thing, codes are physical displays, which means harmless code can easily be overlaid with nefarious code that takes users to a malicious website. This allows cybercriminals to easily “show” the legitimate site that steals login credentials or installs malware.

Phishing is a common type of threat where hackers pretend to send emails to legitimate companies and ask for personal data.

“Threat actors have discovered that QR codes are one of the most effective ways to deliver malicious links. So you need to understand that while QR codes make contactless interactions seamless, they also allow attackers to send malicious links easily,” Schless said. “Once an ID is stolen, it’s easy for attackers to steal personal and corporate data.”

Scroll to continue

Always check the URL on the notification before clicking to be redirected, he recommends.

“If the URL does not resemble a trusted source or differs from the known business URL, exit the notification,” Schless said. “I strongly recommend that you think of QR codes the same way you think of other phishing tactics like email scams and social engineering.”

Attackers and pranksters printed counterfeit QR code stickers and placed them above existing QR codes, Ellis said.

“Having a quick glance to see if the QR code looks out of place, looks like a sticker when it shouldn’t, could help people avoid risks,” he said.

Avoid these tasks from a QR code

QR codes are often used to present information and help consumers avoid legitimately entering long strings of data such as account numbers. People should “exercise extra caution when asked for sensitive information such as credit card details, passwords and personally identifiable information,” Ellis said.

The FBI warned consumers in January that criminals were using QR codes to steal data, embed malware to gain access to the victim’s device and redirect payment for cybercriminal purposes. Recovery of the money after it is transferred cannot be guaranteed, the FBI said.

“A victim scans what they think is legitimate code, but the forged code directs victims to a malicious site, which prompts them to enter login and financial information,” the FBI said. “Access to this victim information gives the cybercriminal the ability to steal funds through victim accounts.”

Consumers should avoid downloading an app from a QR code and instead use the App Store for a safer download, the FBI said. Another scam involves receiving an email stating that a payment has failed from a business where a recent purchase was made. If the company says “you can only make payment via QR code, call the company to verify,” the FBI said.

Sanfield Construction, a subsidiary of Sun Hung Kai Properties, monitors the quality of concrete used in the developer's projects using QR codes.  Picture: handout

Avoid downloading QR readers from a QR code as this is often a trick used by scammers” just like tricking people into downloading fake antivirus on their laptops where the download app is in does malware,” Brian Contos, chief security officer of Phosphorus Cybersecurity, a Nashville-based IoT security company, told TheStreet.

“It’s good practice not to download anything from a QR code scan,” he said. “Be skeptical and don’t share sensitive information unless you’re sure it’s legitimate. A sticker or flyer on a lamppost should set off alarm bells in your head. If someone asks for a payment, on a parking ticket for example, you can be sure that there will be several payment methods for someone.

One method that is gaining popularity is to use QR codes for parking meters. The barcodes direct users to a website where they can enter their payment information or download an app to pay, said Alex Hamerstone, director of consulting solutions at TrustedSec, an ethical hacking and computer incident response firm. based in Strongsville, Ohio at TheStreet.

“A scammer can create a QR code that directs to their fraudulent website that looks genuine, print stickers with that QR code, and place the stickers over the legitimate QR code to send users to their fraudulent site and collect their banking and credit card information. credit card or other personal data.”

Comments are closed.