The FBI Thinks You Should Double Check That QR Code

Quick Response codes, or QR codes as they're better know, seem to have popped up just about everywhere these days. Whether you’re in a hurry to pay for your coffee, hoping to check out the menu at your favorite restaurant or just wanting to open a long URL on your phone, the little square barcodes have got you covered. But how can you tell if the QR code you just scanned is a scam?

Cybercriminals love QR codes

Most times you can’t, and that’s a bit worrisome. Apart from privacy issues, the FBI warns that cybercriminals have been tampering with QR codes to redirect people to malicious sites that steal login and financial information, download malware and redirect payments for cybercriminal use. How can they do that?

Pretty simple: because the human eye can’t distinguish one QR code from another, all they have to do is generate a dummy QR code and stick it over real one. When it comes to digitally generated QR codes, things get a little bit more complicated - hackers need to access the device that generates the QR code or to impersonate a trusted entity, but no effort is too big when you’re a criminal trying to scam your victims out of money, or bitcoin.

That parking spot will cost you extra

Case in point: Police officers in the Texan cities of Austin and San Antonio discovered bogus QR codes stuck onto public parking meters. The parking meters in both cities don't normally display QR codes, and only accept payment via coins, cards or a smartphone. However not everyone knows that and, if the webpage you’re directed to pretends to accept payment for the parking session, you’ll likely pay.

How to stay safe when using QR codes

QR codes on their own are not malicious in nature, and there’s no reason to stop using them altogether. However, you should take certain precautions to protect yourself.

• Don’t scan random QR codes you find on the street, as there’s a big chance they will redirect you to a malicious website
• Avoid installing a QR scanner app on your phone as this exposes you to malware; most phones have built-in QR scanners and all you have to do is open your Camera app
• When dealing with physical QR codes, always check if they have been tampered with stickers
• Once you scan a QR code, double check that the URL looks legit and the domain isn’t just similar to the intended site
• Avoid downloading apps from QR codes, and avoid entering financial data through a site navigated to from a QR code. Instead access it manually
• Double check e-mails and messages asking you to pay or log in using a QR code
• Consider a mobile security solution. Bitdefender Mobile Security for both Android and iOS protects your devices from a wide range of attacks