QR codes are the square barcodes that phone cameras quickly scan to get to website, now often used for menus in restaurants. They can also be used to bring a user to downloads or direct to a payment.
“Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the FBI wrote.
This warning comes soon after the Massachusetts State Police issued a warning that QR codes on parking metersmay link users to fraudulent payment sites. In these cases, instead of paying for parking, the victim ends up submitting payment information to scammers.
Scammers are accused of tampering with both digital and physical QR codes to replace legitimate codes with malicious ones so that when a victim thinks they are scanning a real code, it actually directs them to a malicious site.
Here, they are prompted to enter login or financial information that gives cybercriminals access to funds from their accounts.
Malicious QR codes may also contain embedded malware, the FBI warned, allowing scammers to gain access to the victim’s phone to steal personal information like their location. Stolen information can also be used to withdraw money from accounts.
“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer,” the agency said.
The FBI listed the following advice to help users protect themselves from QR code scams:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
Anyone who believes they may be a victim of stolen money from a tampered QR code are encouraged to contact their local FBI office. The agency also encouraged victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.
© 2022 Advance Local Media LLC. Distributed by Tribune Content Agency, LLC.