QR codes, bar codes with little squares that can be scanned and read by smartphones, are apparently used everywhere — to board flights, enter shows and consult restaurant menus.
But scammers trying to steal personal information have also used them to direct people to harmful websites that can collect their data, according to Alvaro Puig, a consumer education specialist at the FTC.
Scammers hide dangerous links in the black and white mix of some QR codes, the agency warned.
When people click on these malicious links, the scammer can steal the information entered on the site. The QR code can also be used to install malware that steals personal data, the FTC said.
Deceptive codes sent via text message or email often use lies to create a sense of urgency, such as saying a package could not be delivered and demanding a reschedule, and impersonating a company to say there is suspicious information in the account of a person and that their password needs to be changed, according to the FTC.
John Fokker, head of threat intelligence at cybersecurity firm Trellix, said in an email that the company’s advanced research center saw more than 60,000 cases of QR code attacks in the third quarter of 2023.
The most common type included package delivery scams, malicious file sharing and messaging posing as human resources, information technology and payroll departments, he said.
Fokker said mobile device users are “particularly vulnerable” to these attacks because “QR codes are often scanned using mobile devices which may not have the same level of security and protection as desktop computers.”
There are many steps organizations and people can take to protect themselves, Fokker said. He advised never opening links, scanning QR codes or downloading documents from unknown contacts.
He said people should also use two-factor authentication, which uses apps or phone numbers to help verify a person’s identity online, and “keep software up to date to ensure devices have the latest security measures in place.” “.