(Photo by Noam Galai/Getty Images)
Watch out for fake QR codes at your favorite restaurant or shop. The FBI is warning that cybercriminals have been tampering with legitimate QR codes to try and trick unsuspecting users into loading up scam websites.
On Tuesday, the FBI issued the alert, warning that cybercriminals have been targeting both physical and digital QR codes. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the agency added.
The scheme exploits how QR codes have grown in popularity during the pandemic as a contactless way to access information. This can include scanning a QR code to view a restaurant’s menu or even place an order.
“However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use,” the FBI said.
The tactic is basically a spin-off of phishing scams, in which hackers use fake emails and messages from legitimate companies to trick victims into giving up their password or downloading malware. The culprits are now pasting their phishing scams on top of legitimate QR codes, including those found on parking meters, as police in Texas recently found.
The FBI added that QR codes “are not malicious in nature.” The technology is really just a barcode; once scanned, it will decode into a URL your smartphone can visit with a single tap. It’s that URL that could lead you to a phishing website or malware posing as an app.
As a result, the FBI is urging users to double-check the URL from a scanned QR code to “make sure it is the intended site and looks authentic.” If the URL contains typos or a misplaced letter, it may be a phishing page.
“If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code,” the FBI added. “Do not download an app from a QR code. Use your phone's app store for a safer download.”
When in doubt, you can also manually enter a known and trusted URL into your smartphone, rather than scan the QR code.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
