FTC issues warning about QR code scams that let hackers take control of your phone and steal money when you scan a menu

The US Federal Trade Commission (FTC) has warned Americans about QR Code scams infiltrating restaurants, airports, sporting events and retail stores.

QR, which stands for “Quick Response,” are machine-readable codes made of black and white boxes that store URLs, payment options, and other online services that can be accessed by a smartphone camera.

They have surged in popularity during the Covid pandemic in stores and restaurants to exchange money and contactless services, but tokens have become a mainstay.

However, thieves design fake codes that redirect users to fraudulent websites, allowing them to collect data, take control of smartphones, or steal money.

Cybersecurity experts monitored the scam and found more than 60,000 samples of QR code attacks in the third quarter of 2023.

“A scammer's QR code may take you to a scam site that looks real but isn't,” the FTC shared in the announcement.

And if you log into the scam site, scammers can steal any information you enter. Or the QR code may install malware that steals your information before you even realize it.

Officials warned that the scams are being carried out at physical locations by overlaying a fake code on top of a genuine one and via text messages and emails.

“Do not scan a QR code in an email or text message that you are not expecting — especially if it urges you to act immediately,” the FTC noted.

“If you think the message is legitimate, use a phone number or website that you know is real to contact the company.”

The ad also urged the public to be wary of QR codes in unexpected locations, noting that they watch out for misspellings or swapped letters in URLs.

Thieves design fake codes that redirect users to fraudulent websites, allowing them to collect data, take control of smartphones, or steal money.

John Focker, head of threat intelligence at cybersecurity company Trellix, said: New York times: “The pandemic has led to a resurgence of QR codes in our daily lives – everywhere from restaurant menus to use in doctors’ offices – making QR codes an attractive tool for cybercriminals to use to target individuals and organizations around the world.”

Focker said people should use two-factor authentication, which uses apps or phone numbers to help verify a person's identity online, and “keep software updated to ensure devices have the latest security measures in place.”

The FBI issued a similar warning in May and previously in January 2022.

Report from Marcoma New York-based accounting and consulting service, shows that QR code scams are among the top five cybersecurity threats observed in April.

The group highlights that scammers are using fake codes to carry out phishing scams in emails and social media messages.

“Scammers may also approach you through an online marketplace claiming to be trying to buy the goods you are selling and asking you to scan a QR code,” according to Marcum.

'Avoid making payments from a website accessed via a QR code. To make a payment, manually enter a known and trustworthy website.'

Another area that sees fake QR codes is the cryptocurrency industry.

“Cryptocurrency transactions are often conducted through QR codes linked to cryptocurrency accounts…making these transactions easy to flag,” according to an FBI press release.

“If you scan a scammer's bad code, you could end up giving them access to your device.

“It can access your contacts, download malware, or send you to a fake payment gateway.

Once it gets there, you could inadvertently give it access to your bank and credit card accounts. If you pay with a bad QR code, it's difficult, if not impossible, to get that money back.