Quick response codes, or QR codes, may be easy and convenient to use to read menus at restaurants during the pandemic or to enable touch free mobile payments — but the Army now warns that criminals can exploit QR codes to connect phones to run scams.
When smart phones scan a QR code, which is made up of black and white dots arranged in a square, the code will typically open up a browser or enable a payment to a business. Users should also be wary of cybercriminals who may try to use QR codes to steal users’ money, the Army Criminal Investigation Command’s Major Cybercrime Unit said in the alert, issued earlier this week.
Scams could also include connecting devices that scan QR codes to a malicious network and sending texts or making calls to users’ contacts or adding malicious contacts to the contact list, the Army alert warned.
Eighty-four percent of people surveyed by security firm MobileIron last September reported they have scanned a QR code before. But 71% of those polled reported they couldn’t distinguish between legitimate and malicious codes.
Part of the concern is that users can’t decipher where exactly a QR code will lead them, just as some users have trouble differentiating between malicious links from legitimate links in their email inbox.
QR code scams are nothing new — law enforcement entities in The Netherlands and ING, a Dutch banking company, have previously warned against trusting random QR codes and spotting potential criminal schemes. However the prevalence of QR codes during the coronavirus pandemic are raising concerns in the Army that fraudsters may be looking to take advantage of those trying to embrace touch-free technologies during the global health crisis.
“Cameras on up-to-date smart phones read QR codes natively and open documents,” the Army alert reads. “Easy, effective, fast, economical, and touch free. All of these are qualities wanted in the days of COVID-19. But, like just about everything good in computers or on the internet, if it can be used for good, it can and will be used for bad.”
Some governments around the world have introduced QR codes into contact tracing agendas, such as in western Australia, where some businesses have been required to participate in contact registers, which can be activated with QR codes, for COVID-19 contact tracing.
Previous reports of QR code scams include people replacing publicly-placed QR codes with their own so that any payments sent through them actually go to the criminals. Other criminals have tricked people through social engineering to trust their QR codes to make payments, only to find their bank accounts drained later, as happened in the case in The Netherlands. In that case, fraudsters were able to gain access to hundreds of users’ ING mobile banking app and complete withdrawals, according to the bank.
To avoid QR code scams, the Army is warning users to not scan randomly found QR codes, QR codes that appear to be printed on a label on top of other codes or QR codes sent in emails. The Major Crime Unit is also warning users to be particularly suspicious if after scanning a QR code a password or credential box pops up.
Even at trusted businesses, it could be best to ask an associate about the QR codes being used.
“Do not scan a QR code if it is printed on a label and applied atop another QR code,” the Major Crime Unit warned. “Ask a staff member to verify its legitimacy first. The business might simply have updated what was their original QR code.”