Always looking for opportunities to wreak havoc on a convenience, fraudsters are now turning Quick Response (QR) codes against us. According to the FBI, cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

QR codes have been around since the 1990s and provide a convenient way for businesses to digitally connect us to their menus, pay for parking or enter a special event. We simply scan the square barcode with our smart phones and – voila – we're in. Use of QR codes has become even more prevalent during the Covid-19 pandemic as we strive for “touchless" everything.

But a recent FBI warning states that malicious QR codes from fraudsters contain embedded malware, allowing a criminal to gain access to our mobile devices to steal our location, plus personal and financial information. Fraudsters can also easily slap a new code over an existing code—an unsuspecting consumer may think they are entering payment or other personal info for a legitimate business, only for it be routed to cybercriminals. The FBI says the cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

Here are some tips to help you be more cautious when using QR codes:

  • Once you scan a QR code, check the URL to make sure it's the intended site and looks authentic. A malicious domain name may be similar to the intended URL, but with typos or misplaced letters.
  • Practice caution when entering login, personal or financial information from a site accessed via a QR code. If scanning a physical QR code, ensure that it has not been tampered with, such as with a sticker placed on top of the original code. Do not download an app from a QR code. Use your phone's app store for a safer download.
  • If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device.
  • If you received a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is actually from them.
  • Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

If you believe you have been a victim of stolen funds from a tampered QR code, report the fraud to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.