During the COVID-19 pandemic, people have grown accustomed to using their smartphone camera to scan small square black-and-white barcodes, allowing them to instantly do everything from access restaurant menus to payment of bills.
Scanning a quick response, or QR code, is convenient and easy. And it’s contactless, which can make people safer in public places such as restaurants, many of which have replaced codes with paper menus.
But cybersecurity experts say QR codes have also created new opportunities for fraudsters, who can tamper with them and direct victims to malicious websites to steal their personal and financial information.
“During the pandemic, they looked at how people were engaging and ways to manipulate that,” said Angel Grant, who tracks QR code fraud as vice president of security at F5, a security company Seattle-based apps. “Cybercriminals are always looking for disruption to cause disruption.”
One of the most recent QR code scams has targeted drivers at paid kiosks in several major cities in Texas.
The scammers stuck stickers with fake QR codes on payment terminals. Drivers who scanned them were directed to a website that asked them to enter their credit card or bank account information.
This month, another fake QR code scam targeting drivers emerged in Atlanta. Officials reported that drivers were finding fake parking tickets with QR codes on their cars, directing them to a fake website. Real parking tickets in Atlanta do not use QR codes.
And fake QR codes don’t just show up in parking scams. They have appeared on billboards, online advertisements and in phishing emails, which are designed to trick people into divulging personal information.
Last month, the FBI issued an alert about cybercriminals tampering with QR codes to steal login and financial information. He said the codes can not only redirect payment using fake links, but can also contain embedded malware that allows a criminal to access a victim’s mobile device and financial information. and personal.
“It is important to exercise caution when entering financial information as well as when paying through a site accessible via a QR code,” the FBI warned. “Law enforcement cannot guarantee the recovery of lost funds after the transfer.”
Although there is no data on how often QR code fraud occurs nationwide, the Better Business Bureau has seen an increase in reports of it over the past year. In July, it issued an alert, saying people could receive an email, direct message on social media, text or post with a fake QR code. The scanner can send them to a fraudulent website or automatically launch a payment application.
Scams include those dealing with student loans and cryptocurrency.
“The scammers hope you scan the code right away without taking a closer look,” the organization said.
Grant, of the app security company, said she started noticing an increase in QR code scams during the pandemic.
“We’ve seen a huge increase in people using QR codes because of the convenience and contactless experience,” she said.
Some of the scammers target people looking for coupons or promotions online or send them an email asking them to scan a code to pay their bill, she said. Fraudsters have even hit restaurants, where they have replaced real QR codes taped to the table that customers can use to pay for their meal.
“A lot of people have heard of phishing or smishing,” she said, referring to phishing that uses text messages. “It’s quishing – using a QR code.”
Grant said she’s also seen more forums on the dark web dedicated to helping cybercriminals understand how they can use QR codes to scam people.
“It’s a balance of security and convenience, and people don’t think twice about QR codes,” she said. “Most people have been trained not to click on something in an email, but we really haven’t been educated on QR codes. If you see one taped to a restaurant table and doesn’t look right, don’t scan it. Just ask for a menu.
Towns in Texas that have found fake QR codes on their pay kiosks have hands-on experience dealing with this new form of scam.
Officials first discovered the scheme in San Antonio in late December, and the following month in Austin and Houston.
“It’s unfortunate that this scam happened in Austin,” said Jason Redfern, the city’s parking manager. “It certainly taught us some lessons and showed us a vulnerability that we’re working very hard to close the loop on, so people know not to scan the QR code.”
Although it appears that so far only cities in Texas have been affected by the scam, Massachusetts State Police issued an alert to cities and towns last month.
“This scam is appealing because QR codes are known for their speed and convenience, so a user might prefer this type of payment method to using cash or credit card at a payment kiosk” , the agency warned.
In Framingham, Massachusetts, police issued a similar warning, noting that the city does not use QR codes.
Nor any of the three cities in Texas that have experienced the problem.
San Antonio Police Lt. Marcus Booth told reporters in December that the QR code stickers had been sprinkled on 20 to 40 downtown parking lots. He said he believed some drivers had used the fake website and had been victimized, although he did not know how many.
Police spokeswoman Mariah Medina told Stateline the department had no further comment as it was an open investigation.
After San Antonio was hit, authorities notified other cities in Texas.
Redfern, Austin’s parking manager, said employees checked all of the city’s 900 payment kiosks in January and discovered fake QR stickers at 29 of them, mostly downtown.
The scammers’ web address was somewhat similar to the real company that processes payments for city parking, but instead of a .com address, they used .xyz, which was a red flag, he said. -he declares.
Redfern said the city considered using QR codes for its parking lot, but decided against it. “We were concerned about fraud. And rightly so, it turns out.
Parking officials notified the Austin Police Department and the city’s court system, in case people thought they had paid for parking when they hadn’t. So far, Redfern said he hasn’t heard of anyone being scammed.
The city is fighting fraud. Now when drivers tap the kiosk screen to pay, a warning about the QR code scam will appear. Authorities will also add similar language to pay signs for parking along streets, Redfern said, and place stickers at all 900 pay stations displaying a QR code crossed out with an X.
Austin, like many US cities, allows drivers to use a credit card or cash to pay for parking. They can also use a city parking app that links their license plate to their credit card, Redfern said. But it requires multi-factor authentication, a security technology that confirms identity before someone logs in, usually via a one-time password or random number sent to a smartphone or email address.
In Houston, which also uses a credit card, cash or app system, Maria Irshad, assistant manager of ParkHouston, said employees found 10 fake QR code stickers on its more than 900 pay stations. last month.
Now, when staff members maintain or collect money from parking kiosks, they regularly check for unauthorized stickers.
“It seems the pandemic has brought QR codes to the fore, where people have become familiar with using them,” Irshad said. “But consumers need to know which sites they are going to. There are bad actors out there.
©2022 The Pew Charitable Trusts. Go to stateline.org. Distributed by Tribune Content Agency, LLC.