Skip to Content
© Antoniodiaz | Dreamstime.com
Security & privacy

Don’t scan that QR code! Hackers are using them to steal your info and money

Scan a QR code and you can get information such as recipes, menus, website links, contact information, links to download apps, coupons and more. Quick Response (QR) codes are a barcode that can be read by a digital device and were initially created to track automotive parts.

There are many third-party QR scanning apps out there, but you don’t even need one. Your phone’s camera can scan QR codes without the need for any additional software. Tap or click here for more details.

While convenient and entertaining, scanning a QR code can expose you to malware and scams. The FBI just issued a warning regarding schemes where cybercriminals tamper with legitimate QR codes to redirect potential victims to phishing sites.

Be careful what you scan

The FBI released a PSA this week explaining how criminals are tampering with both digital and physical QR codes. In some cases, legitimate codes are replaced with malicious ones, prompting a victim to enter login and financial information. The cybercriminal can then do as they please with this information, including stealing money from the victim’s account.

In other cases, the QR code can contain embedded malware, allowing the criminal access to a victim’s mobile device, where they can access the victim’s location, personal and financial information.

In cases where payment can be made with QR codes, a criminal can tamper with the code to redirect payments elsewhere.

Fraudulent QR codes are even being placed on parking meters in cities around the U.S. When a driver scans the code to pay for parking, they’re taken to a fake website designed to scam them out of their money. Tap or click here for our report, including tips on how to spot this scheme.

What to look out for

The FBI issued the following tips on what to watch for and when you should avoid scanning QR codes altogether:

  • Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
  • If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
  • Do not download an app from a QR code. Use your phone’s app store for a safer download.
  • If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
  • If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
  • Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

Keep reading

Hackers have a clever new way to steal your login details – Don’t open this PDF!

Biggest mistakes you’re making with apps on your phone

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started