If You Scanned This QR Code During The Super Bowl, The FBI Has A Warning For You

The most talked about Super Bowl ad this year was a colorful QR code bouncing off the TV screen. If you pointed your smartphone camera at it, you were redirected to the website of Coinbase, a cryptocurrency exchange. It’s a remarkably simple way to generate viral marketing.

The ad drove so much traffic it caused the Coinbase app to crash, which as I’ve written before is a bad thing when you’re trying to convince people they should trust you with their Financial assets. More importantly, however, the QR code finally seems to be making its way to the mainstream.

One of the reasons is Covid-19. QR codes are popping up everywhere as a way to direct customers to information without having to hand them a piece of paper or run the risk of them mistyping a URL.

There is a problem, however. Not all QR codes are what they seem, and they have become a tool for bad actors. That’s why the FBI warns consumers to be aware whenever they scan a QR code and to take steps to protect their information. Although the FBI warning is not specifically in response to the Coinbase announcement, there is an important lesson here.

The beauty of a QR code is that instead of asking someone to remember a website, you just embed it into the code. When they scan the code, it takes them directly to the web page of your choice.

So a restaurant can put their menu online, put a sticker with a QR code on the table, and diners can just scan the code and see the menu on their phone. As businesses tried to figure out how to operate safely during a pandemic, the idea that you wouldn’t have to pass menus between people was very appealing.

QR codes can also be used to facilitate payments. For example, PayPal and Venmo allow users to scan a QR code to send money to each other. As you can imagine, any time a new technology makes it easier to visit a website or send money, someone is going to abuse it. It is exactly the FBI warning last month:

“Cybercriminals take advantage of this technology by directing QR code scans to malicious sites to steal victims’ data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use”

Even though the FBI was talking about QR codes in general, Coinbase’s announcement was probably the most used QR code to date. Millions of people saw the ad and many of them scanned the code.

The problem is what happens when a bad actor decides to take advantage of the ad and send out emails with QR codes telling people they can scan and take advantage of an “offer”. Because a QR code hides the website you’re visiting, it’s easier to scam someone into giving them their personal information.

If I created a website on the domain coinbasead.stealyourbitcoin.ru, you probably won’t enter it into a website. On the other hand, if I embed it in a QR code – and send it in a compelling email – when you scan it, you’ll see “coinbasead” and you might not be giving much credit. pay attention to the rest. It is not difficult to create an impersonator website designed only to steal your personal information or your Bitcoin.

The FBI also warns that “malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information.” .

This is less of a concern on an iPhone because you cannot download software to your device from a web browser on iOS. That doesn’t mean, however, that a bad actor can’t just build an app that runs directly in the browser. On devices where you can download software directly from the internet, like Android, QR codes could pose an even bigger threat.

Fortunately, there are a few things you can do to protect yourself when scanning QR codes:

First, only scan a QR code from a trusted source. If you visit a restaurant and your server places a table tent with a code on it so you can see the menu, you’re probably fine.

On the other hand, if you walk up to an ATM and there’s a sticker next to the screen that says “do your transaction online using this code and we’ll give you $50”, that’s is probably a scam. In fact, personally, I would never scan a QR code on a sticker without first asking to be sure it’s legit.

Second, when scanning a QR code, make sure the website you are visiting is genuine. Check the URL to make sure it matches what you expected. Never enter your personal information on a website without verifying that it is official and secure.

Also, if you receive an email with a QR code, there’s no reason to scan it. QR codes are for interactions where you can’t just click on a link. If the person emailing you doesn’t include the link in the body of the email, that should be a red flag.

Finally, if you are a business and you use QR codes, there are also some things you need to do. If you’re going to use a QR code, make sure the one your customers scan is the one you created. This means making sure that no one has covered the official code with a sticker, for example.

Additionally, including the URL on your sign can help customers have peace of mind when scanning your code. Including language like: “This code will take you to our menu at menu.reallynicerestaurant.com. If not, please let us know and do not enter any personal information.”

The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.

Comments are closed.