Fact: Legitimate Quick Response codes, such as those used to access restaurant menus, can easily be duplicated – meaning users might unwittingly be sharing their address, credit card information or other personal details with bad actors.
The FBI issued a public-service announcement this year to raise awareness of malicious QR codes — square barcodes that a smartphone camera can scan and read to provide quick access to a website, download an application or direct payment to an intended recipient.
Many businesses use QR codes to provide convenient contactless access. However, cybercriminals are taking advantage of this technology by tampering with digital and physical QR codes to direct victims to malicious sites that can steal victims’ data, embed malware to gain access to a victim’s device or redirect payments to the cybercriminal.
While QR codes are not malicious in nature, it’s important to practice caution when entering personal or financial information into a website accessed via a QR code.
Tips to protect private information:
- After scanning a QR code, check the URL to make sure it’s the intended site and looks authentic. Like malicious email accounts, a malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure that the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use the app store for a safer download.
- Call the company to verify any “payment failed” messages that prompt payment through a QR code. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR-code-scanner app. This increases the risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, contact them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
How to report fraud
Victims of stolen funds from a QR code that’s been tampered with can report the fraud at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.
Roadrunners can report Metropolitan State University of Denver-related fraud incidents to the Information Technology Services Security Team by submitting a help ticket or calling the ITS Service Desk at 303-352-7548.