The FBI has released a public service announcement (PSA) to warn the public about cybercriminals using Quick Response (QR) codes to steal financial information.
QR codes are a “square barcode that a smartphone camera can scan and read to provide quick access to a website, to prompt the download of an application, and to direct payment to an intended recipient.” The FBI notes that QR codes have been used frequently during the COVID-19 pandemic to allow contactless access. One may have used a QR code to access a menu at a restaurant in the past two years of the pandemic.
Cybercriminals are taking advantage of these codes, however, by using them to direct individuals to malicious sites to steal data, embed malware to gain access to victim’s devices, and redirect payment for cybercriminal use.
“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” wrote the FBI in the PSA. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”
For people to protect themselves, the FBI provided tips to protect oneself while using QR codes:
- Once a code is scanned, check the URL to ensure it is the intended website and looks authentic;
- Practice caution when entering login, personal, or financial information to a site navigated to from a QR code;
- Ensure a physical QR code hasn’t been tampered with;
- Don’t download an app from a QR code, but instead use your device’s app store;
- If an email is received stating that payment has failed from a company you recently made a purchase with and the company states you can only complete payment via QR code, call the company to verify and locate the company’s phone number through a trusted site;
- Don’t download a QR code scanner app as it increases the likelihood of downloading malware. Most phones have a built-in scanner through the camera;
- If a QR code is received that you believe to be from someone you know, reach out to them through a verified number or address to confirm it is them; and
- Avoid making payments through a site generated from a QR code. Use a known and trusted URL to complete the payment manually.
Further, while the FBI says that law enforcement cannot guarantee the recovery of lost funds after a transfer, people should report the fraud to a local FBI field office should they believe that they are the victim of stolen funds from a tampered QR code. Additionally, victims are encouraged to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.