The FBI has issued a new warning to Americans that they should exercise caution when scanning QR codes with their smartphones because cybercriminals tamper with the codes to steal login and financial information.
A QR code—the square barcode that people can scan with their smartphone cameras—can provide quick and convenient access to a website or to a direct payment to an intended recipient.
Businesses use QR codes to provide contactless access to services, for instance, enabling access to restaurant menu items on a smartphone that can then be conveniently ordered.
However, the FBI stated in an initial alert in late January that it discovered that cybercriminals were tampering with both the physical and digital QR codes to swap them for malicious codes that, when scanned, pose a risk to users.
“Unfortunately, they’re relatively widespread,” Stephanie Walker, assistant section chief of the FBI Cyber Division, told ABC News on Feb. 16, with the agency reiterating its call for people to use caution when scanning QR codes.
Criminals use modified malicious QR codes to direct people to malicious sites to steal their data, break into victims’ devices by embedding malware on them, or redirect payments for immediate financial gain.
“What happens when you scan a QR code that isn’t the one you’re supposed to be scanning is that can give the criminal access to your phone, which then allows them access to any apps that you normally use,” Ms. Walker said.
“It can also drop some sort of computer intrusion type software that can alter your phone and steal credentials.”
The FBI explained in its earlier alert that, after gaining access to a person’s credentials and other financial information, cybercriminals can use it to withdraw funds from victim accounts.
“Law enforcement cannot guarantee the recovery of lost funds after transfer,” the FBI stated.
The FBI’s El Paso division said in September 2023 that the agency began receiving reports in 2022 that people were falling victim to QR code scams, with cryptocurrency fraud being an area of particular concern.
Because crypto transactions are often made through QR codes associated with crypto accounts, that makes such transactions “easy marks,” the FBI said at the time.
Scammers were found to be using malicious QR codes and gift cards as part of a single ploy.
“Scammers may call and say they’re going to send a QR code to your phone so you can receive a free $100 gift card. In reality, the QR code may take you to a malicious website,” the FBI’s El Paso division stated.
“If you make a payment through a bad QR code, it’s difficult, if not impossible, to get those funds back.”
Protecting Yourself
The FBI offered several tips to avoid becoming the victim of a QR code scam.
First of all, the agency says that people should ensure that the website address, or URL, that pops up when a QR is scanned appears legitimate and is the intended site. Malicious domains may mimic the intended URL but have slight alterations such as typos or misplaced letters.
People are also urged to exercise caution when providing sensitive information after scanning a QR code, especially login or financial details.
The FBI says that, when scanning a physical QR code, people should verify that the code hasn’t been tampered with, such as by adding a sticker on top.
Also, the agency cautions against downloading apps directly from QR codes. Instead, the FBI says people should rely on their phone’s app store for safer downloads.
If prompted to complete a payment via QR code in an email claiming a failed transaction, people should contact the company directly to confirm the authenticity of the message, according to the FBI. They should also obtain the company’s contact details from a trusted source, not from the email containing the QR code.
Further, people should avoid downloading QR code scanner apps to minimize the risk of malware. Most smartphones have built-in QR code scanning features in camera apps.
In general, the FBI recommends that people avoid making payments through a site navigated from a QR code. Instead, manually entering a known and trusted URL to complete the payment is a safer option.