Be careful when scanning QR codes, officials warn

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

People should be careful when scanning QR codes, US officials have warned.

Attackers are using the now prevalent technology to hide links to malicious websites, according to the Federal Trade Commission. It warned that criminals are increasingly using them to steal personal information and conduct other cyber attacks.

QR codes have come to be in widespread use in recent years, as a way of providing a handy and unique link to a specific website or other service. Their usage surged especially during the pandemic, when they could be used to direct people to online menus without any contact, for instance.

That usefulness and widespread adoption has however made them appealing to scammers, the FTC said. The same technology that makes them a quick way of getting to a link has also allowed cyber attackers to use them to quickly send people to malicious websites.

Attackers might cover up a QR code on a parking meter with their own one, which sends people to a fake payments website, the FTC warned. Some might send them directly through email or text, with an excuse for why it needs to be scanned: claiming that you missed a a delivery or that there has been suspect behaviour on an online account, for instance.

Those links will usually take people to a spoofed website that looks real but isn’t. They might then harvest login or payment details to be used for cyber crime.

The FTC warned people that they should check any QR code they see in an unexpected place, and ensure that it really is taking them to the right website. It might include a URL that looks like the one it is spoofing but swaps a letter, for instance.

It also warned people not to scan QR codes from unexpected emails or texts, “especially if it urges you to act immediately”. If a message seems like it might not be legitimate, then contact the company through a known phone number or website, it advises.

And users should also generally ensure that their accounts and devices are secure. That includes updating any devices to the latest operating system and using strong passwords, for instance.