The FBI is warning that cybercriminals are tampering with Quick Response (QR) codes in order to steal the personal and financial information of unsuspecting customers.
The checkerboard barcodes can be scanned using a smartphone camera which then links the user to the relevant website, provides a prompt to download an application or can direct payment to an intended recipient.
QR codes rose in popularity during the coronavirus pandemic as more businesses began using them to provide customers with contactless options to receive and pay for services.
However, the bureau said cybercriminals are taking advantage of the technology by altering "both digital and physical" QR codes and replacing them with "malicious code."
“A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information," the agency wrote in a public service announcement posted last week.
These fraudulent QR codes may also contain “embedded malware” that give cybercriminals access to the victim’s devices in order to steal the victim’s location, passwords and banking information, according to the FBI.
Authorities in Texas recently reported a rash of fraudulent QR codes found on parking meters throughout some of its largest cities. Parking enforcement officers in Austin discovered fraudulent codes at more than two dozen pay stations.
U.S. & World
News from around the country and around the globe
"People attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor," a tweet from the department warned.
Similar fake stickers were also reportedly found affixed to meters in Houston and San Antonio earlier this year. Officials in all three cities noted they don't accept parking payments in the form of QR codes.
How to protect yourself from QR code scammers
The FBI offers tips to protect yourself from QR code scammers:
- Check the URL to make sure it is the intended website and is spelled correctly because a malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Ensure that a physical, legitimate QR code hasn’t been tampered with a sticker on top of the original code.
- Avoid making payments through a site directed to by a QR code and manually enter a known and trusted URL to complete the payment.
- Call the company to verify whenever you receive an email asking you to pay through a QR code. Locate the company's number through a trusted site rather than the number provided in the email.
- If you receive a QR code that you believe to be from someone you know, reach out to them to verify.
- Don’t download a QR code scanner application as it increases risk for catching malware. Most phones have a built-in scanner through the camera application.
- Download applications from your phone’s app store instead of from a QR code.
If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.