Skip to main content

Scammers Devise Ways to User QR Codes

The FBI has issued a warning to Americans that they should exercise caution when scanning QR codes with their smartphones because cybercriminals tamper with the codes to steal login and financial information.

A QR code—the square barcode that people can scan with their smartphone cameras—can provide quick and convenient access to a website or to a direct payment to an intended recipient.

Businesses have started using QR codes to provide contactless access to services, for instance, enabling access to restaurant menu items on a smartphone that can then be conveniently ordered.  But the more convenient technology tries to make life, the more ways that scammers can find ways to use it.

The FBI said in an initial alert in late January that they discovered that cybercriminals were tampering with both the physical and digital QR codes to swap them for malicious codes.  “Unfortunately, they’re relatively widespread,” Stephanie Walker, assistant section chief of the FBI Cyber Division, told ABC News on Feb. 16, with the agency reiterating its call for people to use caution when scanning QR codes.

Criminals use modified malicious QR codes to direct people to malicious sites to steal their data, break into victims’ devices by embedding malware on them, or redirect payments into their own pockets.

“What happens when you scan a QR code that isn’t the one you’re supposed to be scanning is that can give the criminal access to your phone, which then allows them access to any apps that you normally use,” Ms. Walker said.

“It can also drop some sort of computer intrusion type software that can alter your phone and steal credentials,” she added.

The FBI explained in its earlier alert that, after gaining access to a person’s credentials and other financial information, cybercriminals can use it to withdraw funds from victim accounts.

The FBI’s El Paso division said in September that the agency began receiving reports in 2022 that people were falling victim to QR code scams, with cryptocurrency frauds being an area of particular concern.  That is because crypto transactions are often made through QR codes associated with crypto accounts, which make these type of transactions “easy marks,” the FBI said at the time.

Scammers were also using malicious QR codes and gift cards as part of a single ploy.

“Scammers may call and say they’re going to send a QR code to your phone so you can receive a free $100 gift card. In reality, the QR code may take you to a malicious website,” the FBI’s El Paso division said.

“If you make a payment through a bad QR code, it’s difficult, if not impossible, to get those funds back,” it added.

How to Protect Yourself

The FBI offered several tips to avoid becoming the victim of a QR code scam.

First, the agency says that people should ensure that the website address, or URL, that pops up when a QR is scanned appears legitimate and is the intended site. Malicious domains may mimic the intended URL but have slight alterations like typos or misplaced letters.

Exercise caution when providing sensitive information after scanning a QR code, especially login or financial details.

When scanning a physical QR code, people should verify that the code hasn’t been tampered with, such as by adding a sticker on top.

And be careful of downloading apps directly from QR codes. Instead, the FBI says people should rely on their phone’s app store for safer downloads.

If you are prompted to complete a payment via QR code in an email claiming a failed transaction, people should contact the company directly to confirm the authenticity of the message, according to the FBI. They should also obtain the company’s contact details from a trusted source, not from the email containing the QR code.

Also, people should avoid downloading QR code scanner apps to minimize the risk of malware. Most smartphones have built-in QR code scanning features in camera apps.

Above all, the FBI recommends that people avoid making payments through a site navigated from a QR code. Instead, manually entering a known and trusted URL to complete the payment is a safer option