Skip to content
 

Beware of Fake QR Codes

FBI issues warning, offers tips for scanning the popular black-and-white squares safely

A qr code

Carlina Teteris/Getty Images

En español | The FBI is warning that cybercriminals have tampered with QR codes to steal consumers’ login, financial information and money.

Crooks are altering both digital and physical QR codes and replacing them with malicious code, the Jan. 19 warning said.

The modifications can allow access to your mobile device that reveals your location and gives access to your personal and financial data.

Use caution if you are trying to make a payment using a code, since bad actors will try to redirect your funds, the FBI said.

The FBI also advised:

  • Do not download an app from a QR code; instead use your phone’s app store.

  • Do not download a QR code scanner app. Most phones have a built-in scanner in their cameras.

  • If you recently bought something and you receive an email saying the payment failed and are asked to complete the payment through a QR code, call the company to verify this. Locate the company’s phone number from a trusted site, not the phone number given in the email.

  • If you believe your funds have been stolen from an altered QR code, contact your local FBI field office.

AARP Membership — $12 for your first year  when you sign up for Automatic Renewal

Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life. 


Growth in popularity

QR codes — technically, quick response codes — are black-and-white squares and seemingly everywhere.

They’ve grown increasingly common during the pandemic, cybersecurity professionals say, as coronavirus fears have triggered a demand for touchless transactions. You can show a QR code on your smartphone screen to board an airplane or enter a sporting event, or use your phone's camera to scan a code to learn what’s on a restaurant menu or when the next bus is due.

The codes also appear in direct-mail ads and at retail outlets. Stroll a pharmacy's aisles and you'll see QR codes on packaging for a range of consumer products, from baby food to over-the-counter pain relievers. Scan the code to visit a company's website, get more information about a product, or perhaps even score a coupon or discount.

Danger can lurk behind QR codes

While many of the machine-readable optical labels are trustworthy, some can be downright dangerous. And if you fall victim to a crook lurking behind a fraudulent QR code, you may, in fact, need that extra-strength pain relief.

Here are seven things to keep in mind before scanning a QR code:

1. Fraudsters have used QR codes for years. The codes came on the scene 27 years ago when Japanese automakers used them to track parts and inventory. “Whenever a new technology or a new offering comes out, cybercriminals look for ways to manipulate it,” says Angel Grant, vice president of security for Seattle-based F5 and a certified information-systems security professional. “So we've seen criminals targeting QR codes pretty much from when they were originally put out.”

2. When eyeballing a QR code, remember those lessons from Cybersecurity 101. Just as you should never click on suspicious hyperlinks or download fishy attachments — especially anything sent by strangers — you should avoid suspicious QR codes, which can take you to weird websites or sites that are created to look safe but are nothing but trouble.

At worst, a crook can download malware or direct you to a fraudulent website to try to steal your money, grab your personal and financial data or log-in credentials, and wreak havoc. Your online financial accounts, peer-to-peer payment apps, contacts, social media accounts and photos are among the things that could be compromised.

"Because QR codes are being used in a lot of new and different ways, they are a natural target for cybercriminals."

Angel Grant, vice president of security, F5

3. Criminals have been known to distribute fliers with malicious QR codes or to attach stickers with fraudulent codes over existing, legitimate ones in public places such as bus stops. Consider the criminal who slapped fake parking tickets on windshields and offered the supposed scofflaws the option of paying their fines by scanning QR codes, says Tracy C. Kitten, director of fraud & security for Javelin Strategy & Research. “And when you scan it, malware [malicious software] gets installed on your device to access your personal info and a whole host of other info,” Kitten says.

"QR code abuse closely aligns with phishing attacks...which within the last two to three years have gotten more sophisticated."

Tracy C. Kitten, director, fraud & security, Javelin Strategy & Research

4. Do not trust a QR code that was supposedly emailed by a friend (whose account may have been hacked) or that appeared in a text, online post or mail piece. Instead, use a browser and visit a website using a domain name you know is legit.

5. Avoid using a QR code to pay a bill. There are many other payment methods that are less susceptible to fraud.

6. QR codes may seem harmless, not least because the naked eye can't detect what the codes are programmed to do. So trust your gut, Kitten advises. “If the code is stuck to the side of a napkin dispenser and looks suspect, don't use it. Ask for a menu."

7. Consider adding protection that checks for malicious or inappropriate content, advises Grant, who says many firms, including Sophos Mobile Security and Kaspersky, offer mobile products.

QR codes can come in handy

The bottom line: QR codes can be created quickly and easily, but like other tech tools highjacked by fraudsters, they also serve a legitimate purpose in commerce and everyday life.

A couple of her friends, Grant says, use QR code generators to share their Wi-Fi passwords with guests, “because when their kids’ friends come over, they're always like, ‘Hey, what's your Wi-Fi?'

"So now when their kids’ friends come over, they go over to the refrigerator [where the QR code is placed] and now they're on the house Wi-Fi without having to bother the parents all the time."

Katherine Skiba covers scams and fraud for AARP. Previously she was a reporter with the Chicago TribuneU.S. News & World Report, and the Milwaukee Journal Sentinel. She was a recipient of Harvard University's Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map, or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.