FBI Warns Cybercriminals Can Modify QR Codes to Steal Victim Funds

By Daniel Farber Huang

February 23, 2022


Photo by Toa Heftiba on Unsplash



The FBI has recently issued a warning to the public to raise awareness of harmful Quick Response (QR) codes. Cyberthieves are tampering with QR codes in order to redirect visitors to risky sites that steal login and financial data.


A QR code is a type of barcode that may be read by a smartphone’s camera to provide fast access to a website, to request the download of an app, and to send money to a specified individual. Companies legitimately utilize QR codes for quick contactless access and have done so more frequently during the COVID-19 epidemic.


However, cybercriminals are taking advantage of this technology by sending QR code scans to fraudulent websites in order to steal victim information, inserting malware on the victim’s device so that they may gain access, and changing payment for cybercriminal activity.


Cybercriminals tamper with both electronic and physical QR codes in order to insert fraudulent codes. A consumer scans what he or she believes to be a genuine code but is instead directed to a harmful site, which requires them to enter login and financial information. The ability of the cybercriminal to access this victim data gives him or her the potential to steal.


Crooks can also use malicious QR codes to gain access to a user’s mobile device, allowing them to steal the user’s location as well as personally and financial information. The stolen financial information may be used by hackers to withdraw money from victims’ accounts. QR codes are also used by businesses and people to make payment easier. A company provides consumers with a QR code that directs them to a website where they can complete a payment transaction. A cybercriminal, on the other hand, may replace the intended code with a tampered QR code and send the money for criminal purposes to someone else.


QR codes are not dangerous in and of themselves, but entering financial information as well as paying for goods obtained through a site accessed via a QR code is advised with caution. Law enforcement cannot guarantee that stolen money will be returned after the transaction is complete.


HOW TO AVOID BEING A VICTIM: 8 TIPS TO PROTECT YOURSELF

  • Do not download an app from a QR code. Use your phone’s app store for a safer download.

  • If you get a QR code that appears to be from someone you know, contact them via their regular phone number or address to verify the source of the code.

  • Check the URL after scanning a QR code to ensure that it is the correct site and appears genuine. A fraudulent domain name may be similar to the intended URL, except for typos or missing letters.

  • When entering personal or financial data from a website that you previously visited via QR code, exercise caution.

  • When scanning a physical QR code, make sure it hasn’t been altered in any way, such as with a sticker placed on top of the original code.

  • If you get an email claiming a payment was rejected from a firm with which you just made a purchase and the company says that only a QR code can be used to make the payment, contact them to verify. Instead of calling a number provided in the email, look for the business’s phone number on a reputable site.

  • Do not download a QR code scanner program. This increases the likelihood that your phone will be infected with malware. The built-in scanner in most phones may be accessed through the camera app.

  • Make payments through a URL that has been bookmarked rather than one revealed by a QR code. Instead, to finish the payment, manually enter a well-known and trusted address.


If you believe you have been a victim of fraudulent money taken from a tampered QR code, contact your local FBI field office at www.fbi.gov/contact-us/field-offices/.The The Internet Crime Complaint Center can be reached at www.ic3.gov, where the Federal Bureau of Investigation (FBI) encourages individuals to disclose illicit or unusual behavior.



Daniel Farber Huang is a corporate finance strategist, cybersecurity professional and author, documentary photographer, and humanitarian advocate. You can see more of Daniel’s broad body of work at www.DanielFarberHuang.com