The FBI is warning people to be careful when scanning QR codes because criminals swap them for malicious codes and steal victims’ information or money.
The FBI has issued a new warning to Americans that they should exercise caution when scanning QR codes with their smartphones because cybercriminals tamper with the codes to steal login and financial information.
A QR code—the square barcode that people can scan with their smartphone cameras—can provide quick and convenient access to a website or to a direct payment to an intended recipient.
Businesses use QR codes to provide contactless access to services, for instance, enabling access to restaurant menu items on a smartphone that can then be conveniently ordered.
However, the FBI stated in an initial alert in late January that it discovered that cybercriminals were tampering with both the physical and digital QR codes to swap them for malicious codes that, when scanned, pose a risk to users.
“Unfortunately, they’re relatively widespread,” Stephanie Walker, assistant section chief of the FBI Cyber Division, told ABC News on Feb. 16, with the agency reiterating its call for people to use caution when scanning QR codes.
Criminals use modified malicious QR codes to direct people to malicious sites to steal their data, break into victims’ devices by embedding malware on them, or redirect payments for immediate financial gain.
“What happens when you scan a QR code that isn’t the one you’re supposed to be scanning is that can give the criminal access to your phone, which then allows them access to any apps that you normally use,” Ms. Walker said.
“It can also drop some sort of computer intrusion type software that can alter your phone and steal credentials.”
The FBI explained in its earlier alert that, after gaining access to a person’s credentials and other financial information, cybercriminals can use it to withdraw funds from victim accounts.
“Law enforcement cannot guarantee the recovery of lost funds after transfer,” the FBI stated.
The FBI’s El Paso division said in September 2023 that the agency began receiving reports in 2022 that people were falling victim to QR code scams, with cryptocurrency fraud being an area of particular concern.
By Tom Ozimek