Quick Response codes, better known as QR codes, are a convenient way for businesses to get you to visit their websites, download their apps or make payments. But the FBI is warning that bad actors can manipulate these codes to steal your money or personal information.
"Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes," the FBI said in a statement Tuesday. "A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts."
The FBI also said fake QR codes can be used to embed malware onto a victim's phone, giving a scam artist access to the device and potentially any information on it, including financial information. The Bureau said if you become a victim, there is no guarantee law enforcement can get lost funds back to you.
Here are some tips from the FBI on how to protect yourself from being taken advantage of.
- If a QR code is sent to you electronically, either by a business or a friend, don't assume it's safe. Directly contact whoever you believe sent it to you, through a trusted phone number or email address, and confirm it's legitimate. If a business or organization sent it, look up their phone number on a trusted website rather than calling the number the sender gave you.
- Do not download a QR code scanner app since it could be malicious. Most phones already have a scanner on them.
- Do not download an app from a QR code. Go to the app store and look it up.
- If you scan a QR code, make sure it takes you to the address of the site you intended to go to and that it looks authentic. Hackers may use a URL that looks legitimate but may have a typo or misplaced letter.
- If you're scanning a physical QR code, such as one on a flyer or poster, be sure there it has not been manipulated, such as with a sticker placed on top of the real code.
- Be cautious before inputting personal or financial information, no matter where you go online. And don't make payments to a site you accessed via a QR code. Manually enter a trusted URL instead.
Also, since it is tax time, it's a good reminder that the IRS says it does not initiate contact with taxpayers -- whether by text message, email or social media -- to seek personal or financial information.