FBI Warns Of Malicious QR Code Campaign To Steal Your Funds, How To Protect Yourself

Phone scanning a QR code to pay
Scanning a QR (Quick Response) code sure is an easy and convenient way to access information, like a restaurant's menu, but be careful of scanning codes willy-nilly. The US Federal Bureau of Investigation (FBI) felt compelled to issue a warning about cyber-criminals tampering with QR codes to ultimately steal your money.

What this ruse amounts to is another vector for phishing. Instead of sending out a phishing email or text message in hopes of tricking a potential victim into willingly forking over personal information, including bank login details, tampered QR codes do the same thing—they redirect users to a malicious site designed to steal login and financial details. But that's not all.

"Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts," the FBI warns.

This is perhaps most effective at places where businesses offer customers QR codes to redirect them to a payment site. It wouldn't take much for a cyber-crook to print out and replace a legitimate QR code with a fraudulent one.

So it's not misconstrued, the FBI is not saying that QR cores are inherently malicious. But like email and things like instant messaging and hyperlinks, they can be manipulated to trick people in malicious ways. To that end, the FBI offers up a handful of tips to protect yourself...
  • Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
  • If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
  • Do not download an app from a QR code. Use your phone's app store for a safer download.
  • If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
  • If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
  • Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
When in doubt, don't make a payment when directed to a site by a QR code. And to end this on a positive note, see our write-up on how to turn your Wi-Fi network password into a QR code for better security.