New Hack Tactics Target QR Codes and QuickBooks Invoices

Last month, the FBI issued an alert about malicious Quick Response (QR) codes—square bar codes that can be scanned by a smartphone’s camera to launch a website.

QR codes have exploded in use since the beginning of the COVID-19 pandemic, offering touch-free ordering at restaurants and retail shops. Cybercriminals have also increased their use of the codes, pointing people to malicious sites that try to steal personal information, install malware on a victim’s device, or redirect financial payments.

Another common hack tactic that’s growing in popularity is fake QuickBooks invoices. As more and more businesses adopt Intuit’s easy-to-use accounting program, the company has promoted its add-on email invoice service. This allows for automated invoice generation, sending, receiving, and tracking—a huge boost for small to medium-sized businesses.

However, scammers have caught on and are starting to imitate these emails, which look similar to QuickBooks messages but point payees who click on a “Review and Pay” button to an illicit website. Once there, the hacker can steal ACH, banking account, and credit card details. This can have a negative impact on both parties—the customer who has their information compromised and the company who loses out on payment and has their reputation affected.

How Can You Protect Yourself Against Increasing QR and QuickBooks Scams? 

CMIT Solutions has collected the following five tips to keep your personal and business information safe.

1) Look for evidence of physical tampering with QR codes. The most obvious way that hackers attempt to alter a physical QR code is with a sticker. In retail settings, look for temporary adhesives or other signs of tampering. If you spot a problem with an existing code, alert the business before scanning it.

2) Carefully check the website to which a QR code directs you. Most smartphone camera apps will display the first part of a URL before opening it. Make sure it matches the company’s name and doesn’t include random strings of letters and numbers. Once the website does load in your browser, check the URL in detail again—especially before entering any personal information.

3) Inspect the source of any QuickBooks invoice email, as well. You can start this process by looking at the email header, where the sender name and domain are listed. Click to expand the details here so you can look for an official “” listing. Next, hover over the “Review and Pay” button to make sure the URL it points to includes “” These are the two biggest clues that the invoice is legitimate. Other red flags to look for include awkward greetings like “Dear Client” — authentic QuickBooks invoice emails should include your name in the greeting — or PDF attachments that require you to open an additional document before navigating to the payment page.

4) Double-check everything before entering personal or financial information. Whether you’re scanning a QR code or clicking a link in an invoice email, make sure you’ve followed all the steps above before even considering entering your address, credit card number, or other private information. If you have any suspicions, contact the company or business directly and ask whether you can pay via an alternate method, preferably in person or over the phone. If you are ready to proceed, you can take a few more precautionary steps: look for “https” and a lock symbol in the URL, make sure you receive a legitimate email receipt and check your financial account to make sure the transaction is for the correct amount.

5) Watch out for other adjacent scams and illicit attempts. These can vary widely. Some QR code scans will prompt you to download an app when it’s safer to download an app directly from your phone’s app stores. If you receive an email alerting you that payment has failed, follow up directly with the company to clarify. Also, be wary of phone calls from people pretending to be QuickBooks support agents or asking about emergency security updates. Millions of businesses and consumers have adopted QR codes over the last two years, and the use of QuickBooks and its email-generated invoices has increased as well. Both of these procedures have attracted the attention of hackers looking to make a quick buck or steal personal information.

Yet increased awareness about both hack tactics is growing, centering the need for enhanced cybersecurity. At CMIT Solutions, we help businesses and their employees navigate an increasingly challenging digital landscape. We can help you strengthen your use of accounting applications like QuickBooks, manage licenses, and authenticate software updates to protect your business. We can also assist with the proper deployment of payment processes such as QR codes.

CMIT Solutions also help employees and individuals understand the changing nature of cyberthreats, rolling out ongoing education to keep everyone safe. This aligns with an elevated need for the protection of devices, networks, and IT systems. If you’re worried you’ve been targeted by illicit QR codes or QuickBooks invoices, we can help. Contact CMIT Solutions today to find out more.

Back to Blog


Related Posts

15 Quick Keyboard Shortcuts to Supercharge Your Use of Microsoft Office

In late 2013 and early 2014, CMIT Solutions covered 10 tricks, tips,…

Read More

Personal Data at Risk if You Don’t Wipe Your Old Mobile Device

Over the last 12 months, the four largest mobile carriers in the…

Read More

Who Can You Trust with Your Information? Recent Poll Says Not Many Institutions

No technology trend has been more ubiquitous lately than online security (or…

Read More