Quick Response codes, or QR codes, can be helpful to direct mobile phone users to a website quickly. You don’t need to remember the URL, as you only need to point your phone’s camera at the uniquely-generated square.
But therein lies the problem, as you don’t always know where the link is taking you. There are scenarios where QR codes are valid, as many restaurants shifted to a digital option over having paper menus.
You undoubtedly saw an ad with a QR code floating around if you watched this year’s big game. But, snapping a quick scan, the code took you to a website that you might not expect. Read on to find out how QR codes can be dangerous and why the FBI warns against them.
Here’s the backstory
The QR code you might have seen during the big game was for the cryptocurrency company Coinbase. It was a rather interesting way to advertise its product to millions of people watching the biggest football event of the season.
The floating QR code drove so much traffic to the Coinbase app that it crashed under the influx. Unfortunately, that didn’t only spell disaster for the company, but it can also impact you in the future.
The generated codes have been around for some time, but the Coinbase ad might thrust them into prominence. Regular online dangers aside, the FBI wants you to know that you should scan QR codes with caution.
“Cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites. It can steal the victim’s data, embed malware to gain access to the victim’s device, and redirect payment for cybercriminal use,” the agency explains in a blog post.
Malicious QR codes may also contain malware, allowing a criminal to gain access to your mobile device and steal your location as well as personal and financial information. The cybercriminal can leverage stolen financial information to withdraw funds from your accounts.
Tips to protect against dangerous QR codes
If you see a QR code randomly stuck on a lamppost or sidewalk, don’t scan it. There is no telling where the embedded link will take you.
Here are suggestions from the FBI on staying protected from malicious QR codes:
- Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
- If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
- If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
- Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
If you believe you have been the victim of stolen funds from a tampered QR code, report it to your local FBI field office at www.fbi.gov/contact-us/field-offices. The FBI also encourages victims to report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.