FBI issues warning about QR code scam

QR code stock photo.
Photo credit Getty Images

Since the start of the COVID-19 pandemic, Quick Response, or QR, codes have become more common at restaurants and stores as they can help reduce physical contact with potentially contaminated items.

While QR codes may help prevent exposure to pathogens, the Federal Bureau of Investigation warned this week that cybercriminals could tamper with the codes to steal login and financial information.

QR codes are square barcodes that can be scanned with a smartphone camera to provide quick access to a website. They are often found in restaurants, where customers can scan them with a phone for access to an online menu instead of handling an item that someone else may have touched. Other businesses also use QR codes.

In addition to providing quick access to sites, QR codes can prompt devices to download applications and direct payments to intended recipients. Some cybercriminals tamper with the codes so they redirect victim’s phones to malicious sites to steal data, embed malware, gain access to victims’ devices, track a victim’s location and redirect payment for cybercriminal use.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” said the FBI. “Law enforcement cannot guarantee the recovery of lost funds after transfer.”

According to the FBI, to avoid being the victim of a QR code scam, people should:

·       Check the URL (website name) after scanning the code to make sure it is the intended site and that it looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter, said the FBI.

·       Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.

·       Make sure the QR code has not been tampered with, such as with a sticker placed on top of the original code.

·       Never download apps from a QR code.

·      Never download a QR code scanner app, which increases the risk of downloading malware. Most phones have a built-in scanner through the camera app.

·       Call the company direct after receiving any emails about failed payments.

·       Always reach out to the sender receiving a QR code to their device before scanning.

·       Avoid making payments through a site navigated to from a QR code.

Anyone who believes they have been a victim of stolen funds from a tampered QR code should report the fraud to their local FBI field office at www.fbi.gov/contact-us/field-offices and to the FBI Internet Crime Complaint Center at www.ic3.gov.