The NJCCIC recently observed two phishing campaigns in which threat actors included suspicious links via QR codes. Quick Response (QR) codes are square barcodes that can be scanned by smartphones to quickly send users to a website, download an application, or direct payments. The use of QR codes increased during the COVID-19 pandemic as restaurants and other businesses transitioned to using online menus and resources to decrease the likelihood of patrons spreading germs via hard copies. The popularity of QR codes remains, and with it comes the adoption by cyber threat actors to deliver malicious links to their targets. These recently reported phishing campaigns included emails impersonating IT departments and used lures of updates to, or maintenance of, 2FA (two-factor authentication, also known as multi-factor authentication). While one campaign inserted the QR code directly in the body of the email, another included a PDF attachment where the QR code was provided. Separately, the Better Business Bureau (BBB) recently reported on a QR code fraud scheme in which scammers placed fake QR code stickers on top of legitimate ones in order to send drivers to fraudulent sites to pay for parking. In January 2022, the FBI released a Public Service Announcement, Cybercriminals Tampering with QR Codes to Steal Victim Funds, which provides tips to protect yourself from these scams.

What Should I Do?

The NJCCIC advises users to avoid scanning QR codes included in emails, even those that appear to be sent from known or trusted contacts, without first verifying the legitimacy of the communication. Additionally, follow the recommendations found in the BBB and FBI reports to avoid falling victim to a QR code scam, including looking for signs of tampering and reviewing the associated URL before navigating to the website. Users are encouraged to educate themselves and others on this and similar scams to prevent future victimization. Contact us here at Cyber Command for any further questions.