MEMPHIS, Tenn. — Before pulling out a cell phone camera and scanning a QR code, pause and check it out.
The Federal Bureau of Investigation warns its Internet Crime Complaint Center (IC3) is receiving reports of cybercriminals tampering with QR codes – both online and physical QR codes in businesses – to redirect people to other sites to steal information.
The QR code is a square barcode that when scanned by a smartphone camera can lead the user to a website, such as many that are used now in restaurants for menus since the COVID pandemic. Legitimate businesses use them to provide convenient access for customers to information, downloads, payments, and more.
The FBI said cybercriminals are tampering with the legitimate codes, replacing them with others that could take a user to a malicious site, asking for logins and financial information.
The codes could also contain malware, which allows the crooks to gain access to a victim’s mobile device, cell phone, or tablet, and then lets them steal information that cold allow them to take money from the user’s accounts.
How to protect against malicious QR codes
Here are some tips from the FBI’s IC3 on how to avoid becoming a victim of these malicious QR codes.
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone's app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Report QR code fraud to the local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.