FTC warns QR codes can steal money and install malware

News
By
published

QR codes are everywhere, but aren't always safe, FTC warns

QR Code
(Image credit: Pixabay)

When you scan a QR code, how sure are you that you know exactly where it will take you and what it will do?

QR codes have become a convenient part of everyday life, and most of us will see at least one every day.

But scammers are abusing their convenience by routing you through to malicious websites that can steal your data, process fraudulent transactions, and download malware.

 Scan here for a surprise

Quick response codes, better known as QR codes, are typically a collection of pixelated black shapes that, when scanned by a mobile camera, route the user through to a website. These have become an increasingly popular method for providing a menu, paying a bill, or for accessing information.

However, their security isn't always guaranteed as there is little to stop a scammer from placing their own QR code on top of the legitimate one, and sending you to a spoof website that may appear identical to the one you may have been trying to access.

From here, the website may ask for payment, ask you to download a file containing malware, or steal sensitive information.

QR codes are also increasingly being used within phishing emails, as spam filters are unable to recognize that a QR code could be routed through to a malicious website, allowing it to slip into your inbox unhindered.

As a result of the vulnerabilities posed by QR codes, the US Federal Trade Commission has issued a warning against the use of QR codes, and has issued guidance on staying secure when navigating through a site provided via a QR code. 

This guidance includes:

  • Ensuring the URL of the website a QR code routes you through is legitimate and does not contain any irregularities from the URL of the page you are expecting to visit, such as a singular misplaced letter.
  • Never enter any sensitive information until you are sure the website is legitimate.
  • Check QR codes for any sign of tampering which may indicate the QR code has been replaced or covered by a fake one.
  • Most mobiles today have the ability to scan QR codes with the default camera, so always be suspicious if a QR code requires a specific QR code scanner provided by a third party.
  • There is almost no functionality for embedding a QR code into an email, so always remain alert if you receive an email in this format.

 Via ArsTechnica

More from TechRadar Pro

TOPICS
Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.