IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Could That QR Code Actually Be a Phishing Attack?

The FBI recently warned consumers that some QR codes can lead to fraud and steal victim funds if scanned into smartphones. Let’s explore this growing trend.

man in face mask checking into a venue by scanning a QR code with a smartphone
Shutterstock/Monkey Business Images
It was Sunday evening, Feb. 13, 2022, and my family was watching the NFL Super Bowl game between the L.A. Rams and the Cincinnati Bengals.

Suddenly a commercial popped up with just a colorful QR code bouncing around on a black screen background — a bit like the old video game of Asteroids.

For a moment, I thought something was going wrong with my TV, as several family members asked: “What’s that?”

“It’s a QR code — and an intriguing way to grab the country’s attention and get people to their website,” I replied.

MONDAY MORNING COMMERCIAL ANALYSIS


The next day I was watching TV news during my morning workout, and CNBC highlighted the top Super Bowl commercials — with the Coinbase QR code receiving high praise and great reviews.

One analyst said half the country didn’t know what was going on, while the other (generally younger) half loved the commercial and scanned the code with their smartphones. In fact, the commercial crashed the Coinbase app because so many people scanned the code with their phones and went to their website.

A little later that morning, I saw this LinkedIn post from a trusted cybersecurity colleague and industry expert, Carter Schoenberg.

Carter wrote this: “So if you watched the Super Bowl last night, you may have caught some of the lamest commercials to be featured to date. However, one notable is Coinbase which had a black screen with a QR code bouncing around like it was 1977 again with "Pong." Given how pervasive advertising is on YouTube, Facebook, etc., I am giving a new 2022 prediction that this method of advertising will be used to compromise mobile devices. Granted, I am not suggesting you take an alarmist position every time you scan a QR code at a restaurant, but there is something unique about what I saw last night, and if I see this as an opportunity, so will our adversaries. Given tensions in Europe and Asia, it shouldn't be trivialized.”

My comment to this post was this: “Great points Carter Schoenberg. I was thinking that it was like 'phishing as a Super Bowl commercial.' And it got very high marks from the ratings, I saw this morning. Very intriguing, but watch out for copycats everywhere.”

WHAT ARE QR CODES?


According to BusinessInsider.com:
  • “QR codes are a type of barcode, or scannable pattern, that contain various forms of data, like website links, account information, phone numbers, or even coupons. 
  • "QR codes are found everywhere from menus to social media to billboards but have picked up popularity during the pandemic for their contactless nature. 
  • "To scan a QR code with your iPhone or Android, you'll want to use the QR code lens feature of your camera or download a QR code reader app.”

I also like this recent article by Adage.com, which describes the benefits and growing popularity of QR codes: “QR codes are certainly not a new marketing tool, but Coinbase's Super Bowl commercial showed that these two-dimensional barcodes can be an effective way to drive engagement on TV, a historically lean-back medium.”

I wrote a blog last year which explains the details about how QR codes can lead to fraud, called Combatting the Growing Cyberthreat of QR Code Abuse:
“Back in 2013, David Geer laid out the dangers of QR codes for security, explaining how a malicious QR — Quick Response — code can contain a link to a website embedded with malware. The Web link then infects the user device with a Trojan.”

THE FBI'S TIPS FOR SAFELY USING QR CODES


Back in January, the FBI released this alert on how Cybercriminals Tampering with QR Codes to Steal Victim Funds, which offers tips on how to protect yourself:
  • “Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • "Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
  • "If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
  • "Do not download an app from a QR code. Use your phone's app store for a safer download.
  • "If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
  • "Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
  • "If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
  • "Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.”

In addition, this article from HelpNetSecurity offers more tips to help. Even AARP is warning their members about the dangers of QR code abuse.

FINAL THOUGHTS


No doubt, QR codes are growing in popularity. Used properly, they offer a great technology that can help people easily access online information. But just as with other technologies, the bad actors will try to use QR codes to lead users to harm.

So the message is be alert and follow the experts' advice.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.