Smartphone users need to be careful about scanning QR codes displayed in public places, including shops, restaurants, and parking areas. In this modern digital world where people are increasingly relying on QR codes to make payments, cybercriminals are abusing it as a lucrative source to steal funds from them. Here’s a glance at some recent examples.
Fake survey via QR code
- Scammers put up a fake QR code on the glass door of a bubble tea shop. It would urge visitors to fill out the survey for a "free cup of milk tea."
- To complete the survey, a bogus third-party app was downloaded onto the user's device to complete the 'survey.
- This enabled the scammers to siphon out $20,000 from the bank account of the victim.
Parking ticket QR code scam
In another incident, scammers were found leaving fake parking tickets on drivers’ windshields.
- It tricked car owners into believing that the tickets were issued by San Francisco’s government, who end up paying amounts to scammers.
- Scanning the code would redirect victims to a phishing link impersonating the San Francisco Municipal Transportation Agency (SFMTA) website, prompting them to enter their credit card details.
Cybercriminals monetizing through QR code scams is also a concerning factor as this can enable them to purchase more sophisticated tools or get their hands on stolen user records put on sale to expand their attack scope. That’s not all! Cybercriminals have also been experimenting with QR codes to pilfer credentials from victims.
Harvesting credentials via QR codes
- Earlier this year, FortiGuard Labs shared details of a campaign wherein threat actors were using multiple QR codes to target Chinese-speaking users.
- These codes were dispatched in a Word document attached to an email spoofing the Chinese Ministry of Finance.
Threat actors with stolen credentials can abuse them to gain direct access to victims’ accounts. They can also use it to perform identity theft.
Stay safe
Follow the FBI’s advisory to avoid falling victim to such scams. Users must also take caution by checking the URL of the code before entering their financial and personal information. As a general rule, they must check the authenticity of the address link by typing the website name directly into the browser.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d33b_shutterstock_1553442719.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/08d2_shutterstock_1299236647.jpg)
