A new QR code phishing scam is spreading through various industries, potentially affecting the future usage of these codes at your sites. As QR codes have become a crucial part of many businesses’ operations, providing a contactless way to pass information to consumers, these codes have popped up on posters, at restaurant tables, in mobile applications and more – making scanning and using these codes a part of our daily lives.
Criminals have begun taking advantage of the presence of these codes, like the 30 fake QR codes recently found across Austin, TX parking meters leading people to submit credit card information to a fraudulent site1. This scam has also begun to present itself with fraudulent QR codes popping up in emails, websites and digital ads, all ultimately leading victims to fradulent sites where sensitive, often financial, personal information is submitted.
How does this affect my site(s)?
In order to provide consumers with a safe and seamless way to be led to the mobile app or promotional sites, POP materials have recently included QR codes. As these scams are beginning to spread, your site(s) could be at risk in the near future of having malicious QR codes pasted on pump-toppers, window clings, posters and pop-ups for ongoing and seasonal promotions at your site(s). This means that consumers looking to make a rewarding fill-up at your station could fall victim to giving up financial information to criminals.
What can I do to prevent this activity at my site(s)?
Cybersecurity experts recommend the following tips for mitigating this fraud at your c-stores and pumps.
- Frequently check QR codes around your site(s): Encourage your employees to make it part of their routine to check for malicious QR codes around your site, and if a QR code looks like it doesn’t match the background or is lifted from the original material or in the form of a sticker, instruct them to remove it immediately and confirm its validity by comparing it to original promotional materials.
- Avoid scanning any QR code presented in an email or paper junk mail: Cyber Threat Analyst Brad Haas recommends never trusting any QR code that comes through an email or unexpected paper mail from an untrusted source. These often falsely present themselves as coming from your bank or other financial institutions and are to never be trusted.
When in doubt about a QR code, always confirm with your Sales Rep that the information being requested is in fact from Phillips 66. If you or your employees suspect a malicious QR code has been posted at your site, contact your local authorities and the Phillips Fraud Hotline immediately at 888-482-1838.
For additional resources about this type of scam, check out the links below:
- https://portswigger.net/daily-swig/qr-code-security-best-approaches-to-using-the-technology-safely-and-securely
- https://www.csoonline.com/article/3584773/how-attackers-exploit-qr-codes-and-how-to-mitigate-the-risk.html
- https://www.computer.org/publications/tech-news/trends/qr-code-risks
- https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/
- https://www.techradar.com/news/are-you-sure-about-the-safety-of-that-qr-code
- https://www.cyberscoop.com/mailicous-qr-codes-fbi-ic3-alert/