FBI warns criminals are using fake QR codes to scam users

Beware what you scan. Criminals may be watching.

January 20, 2022, 1:16 PM

Cybercriminals could use altered Quick Response (QR) codes to steal personal and financial information of unsuspecting customers, the FBI warns.

QR codes are all around us these days, and they're used for everything from restaurant orders to donations. During the pandemic, many restaurants began using QR codes in place of paper menus.

How it works: A code is scanned via a phone camera app, and the user is then redirected to the relevant website.

Troubles can arise, the FBI says, in cases where the codes have been altered. Unwitting users can be directed to malicious sites that prompt them to enter their financial and login information or expose them to malware.

Bill Hornbuckle demonstrates a QR code menu at Prime Steakhouse in the Bellagio hotel and casino, May 20, 2020, in Las Vegas.
John Locher/AP, FILE

"While QR codes have been around for a very long time, certainly in recent years, they've gained more widespread use," Dave Ring, section chief of the FBI's Cyber Division told ABC News. "Part of that is with the pandemic and a drive toward being as contactless as possible, QR codes give people the opportunity to just use their phone camera and scan a QR code."

Police in San Antonio, Texas, warned that fake QR codes were found on parking meters throughout the city. "People attempting to pay for parking ... may have been directed to a fraudulent website and submitted payment to a fraudulent vendor," a tweet from the department said.

Ring said the San Antonio scam was the "perfect example" of people exploiting a simple, daily exercise, and the FBI warned that criminals could be taking advantage of people through other similar tactics.

"A cybercriminal can swap out a completely innocuous legitimate QR code for one that directs people to a malicious site, and that malicious site may prompt someone to click a link and could potentially download malware onto their device," Ring said.

Customers use their phones to look up a digital menu via a QR code on the table in San Pedro Brewing Company, May 29, 2020, in Los Angeles.
Ashley Landis/AP, FILE

The redirect can also take users to what appears to be a banking website but is actually fraudulent, he added.

"Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information," the FBI bulletin said. "The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts."

To avoid any trouble, the agency urges people to use caution by checking the URL of the code, and when entering financial and other personal information.

"Just always practice caution when you're looking at putting in any login information, personal information or financial information when you navigate from a QR code or from any link that you that you don't know for sure is where you're trying to go," Ring said.