As the holidays near, cyber experts are warning Wyoming residents to be hyper-vigilant about unsolicited package and other insidious scams involving QR codes.
The way it works is that a scammer sends an unsolicited package to a person usually through publicly available names and addresses. The scam is known as “brushing” and typically involves items sent from an unknown sender through reputable shipping companies like FedEx and UPS.
Inside the package is a QR, or quick release, code that residents are instructed to scan to find the identity of its sender.
Once they scan the code, the scammer then has access to a variety of personal and financial information.
The practice is not new, but over the past few years, scammers are getting more sophisticated on how they trick unsuspecting people into scanning.
How It Works
In 2022, the FBI issued a warning alerting people to the practice. The warning states that cybercriminals are using QR codes in a variety of ways to either direct the unsuspecting victim to a malicious site where they are prompted to enter login or financial information.
In other instances, scammers embed malware into the malicious QR codes that allows them to access the victim’s smartphone or mobile device to steal personal and financial information.
J. Michael Skiba, also known as Dr. Fraud, is an international expert on financial crimes and fraud, including cybercrimes. He said that QR scams first started getting popular during the pandemic.
He’s seen a variety of QR scams involving unsolicited packages, most of which involve free giveaways.
For example, a scammer might send a free pen under the guise of a company asking the recipient to scan the QR code to leave a review. The products typically are low-end, cheap, under $10, Skiba said.
The QR code may direct that person to an imposter website impersonating a legitimate business. Or they may grab information directly from the phone, he said.
“You’ve got to remember that when you’re scanning it [the QR code], your phone’s unlocked, right?” he said, “so it’s kind of like open season.”
He likens it to similar scams like phishing in which a person clicks on a hyperlink that either takes them to a fraudulent website or downloads malware designed to take specific information the hacker has written into its code.
In some cases this could include putting spyware on the phone by which the hacker can surveil the person to stealing passwords or other personal information.
“Everyone’s life is on their phone,” he said, “so, you don't know what they can grab from that."
Psychology Of Quid Pro Quo
Giving away free products also gives the scam a modicum of legitimacy in that it creates a psychological quid pro quo that is effective in prompting a response, Skiba said.
This is why scams involving free upgrades from Microsoft and other companies are effective, he said, because people naturally want to engage when they feel like a company is offering them something for free.
This includes pens and other products, even low value.
“It really penetrates that psychological kind of shield we have, so it adds legitimacy,” Skiba said.
No Reports In Wyoming Yet
Nonprofit CyberWyoming, has not received any reports yet of such scams in Wyoming, according to Natalie Demple, marketing and public relations spokesperson.
Law enforcement in the state’s major cities has likewise not received reports nor has the Wyoming Division of Criminal Investigation, said Ryan Cox, DCI commander.
“I just recently learned about this scam, and I am not aware of DCI taking any such reports,” he said in an email to Cowboy State Daily.
Brent Wasson, deputy chief of police in Gillette, said his department has not received any reports of this particular QR package scam.
Neither have been there been any reported incidents in Casper, according to Amber Freestone, public information officer for the Casper Police Department.
It also does not appear to be a widespread issue in the Cheyenne community at this time, according to Alexandra Farkas, public information officer for the Cheyenne Police Department, who warned residents to be hyper vigilant when scanning QR codes and to report any suspicious activity.
High Stakes If Hacked
Pete Herzog, an experienced hacker and security analyst based in Spain who specializes in investigations and asset recovery, told Cowboy State Daily that recovering lost money and other assets is incredibly difficult, if not impossible.
He said that even if a person turns a report into the police or other federal agencies, that typically the money is already overseas. In most cases, he said the dollar amount has to be high enough to warrant a response.
“Those that do asset recovery are not going to touch you for less than $2 million, so you really need to have a lot of money in the fire for them to react,” he said.
Chris Bonatti, president and CEO of Casper-based International Electronic Communication Analysts, Inc., who specializes in cybersecurity, agreed. He said that it’s incredibly difficult, if not impossible, to claw back lost funds and other assets unless you involve federal law enforcement agencies and the U.S. State Department.
“It’s more a regulatory than it is a cybersecurity problem because you have to get authorities involved, and you have to seize assets and so on,” he said. “But unless it's a lot of money, I think I would move on. It'll cost you more than it will net you in a lot of cases.”
Per protocol, Vikki Migoya, public affairs officer for the FBI Denver that oversees Wyoming, said the agency could not confirm or deny any particular active investigations involving package scams.
Hostile Environment
Bonatti is very familiar with QR code scams and said they can be incredibly dangerous.
“It’s not a hoax,” he said. “It’s a real thing that can happen.”
He said that once a person scans the fraudulent code, they are typically directed to a malicious website that may be impersonating a legitimate one. The user may not even recognize they are on a fraudulent site.
Once on the malicious site, the script will launch some type of pre-planned attack on the device in order to exploit vulnerabilities in the phone’s web browser with the intent of installing malware.
This malware can be coded to do any number of functions per the scammer’s specifications, Bonatti said, including stealing log in credentials, banking or other credit information, crypto wallets or steal contacts among other functions.
“If their attack succeeds, and they're able to find an exploitable vulnerability, the sky is the limit,” he said.
He also noted that once malware has infiltrated a device, scammers can add additional malware with different capabilities to further exploit the breach.
It’s an extremely hostile environment, Bonatti said.
“Different threat groups are launching specific attacks, so different campaigns will be targeting different things.”
If a person is hacked, Bonatti suggests dumping the phone, complete with its SIM card. He also said that cyber security apps aren’t great because mostly they have been designed to protect against earlier scams and not ones occurring in real time.
“There is no good or guaranteed way today to recover from a malware infection, because you may never know what else was done to your phone,” he said.
Verify, Then Verify
Skiba’s advice is to throw away or return the unsolicited packages and to verify that the QR code is linked to a legitimate website. For example, he said that if you scan the code and it starts asking for information or offering a certain percentage off for signing up, to instead go to that company’s website and verify the offer is legitimate.
He also warned of scanning QR codes in public places even if they seem authentic. Bad actors have gotten really good at fooling people by pasting their own fraudulent QR codes over legitimate ones in restaurants, stores and other private and public places.
“Most public places are really easy for fraudsters, so again, I would say verify, then try,” Skiba said.
Along with QR code scams around the holiday, he also warned of electronic e-card scams whereby a person or company sends an email with an e-card with a link mimicking a legitimate company like Starbucks.
“I’ve seen a lot of e-card frauds,” he said.
He advised people to call that person or company to see if they sent the e-card or to enter the e-card number on the company’s website to see if its legitimate.
“We need to get back to the old personal verification,” he said. “That’s the only way.”
FBI Says ...
• Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
• If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
• Do not download an app from a QR code. Use your phone's app store for a safer download.
• If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
• Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
• Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Jen Kocher can be reached at jen@cowboystatedaily.com.
