The FBI issued a warning about criminally tampered-with quick response (QR) codes that steal people’s information, threatening their security and livelihoods.

The most common scams involving people using QR codes scanned via a smartphone or tablet camera is to direct the user to a website for a menu at a restaurant or food outlet. QR codes also lead people to download an app or pay someone. They can appear at bus or subway stops, restaurants, parks and other public places around the world.

QR codes are helpful for people who have trouble reading a physical menu or find it easier to access information through a website. During the COVID-19 pandemic, QR codes are an efficient way to deliver information, consensually access information or direct people in a contactless manner via their respective devices.

However, the FBI has raised concerns about those who tamper with QR codes to gain access to people’s information in a non-consensual or misleading way for malicious purposes. Some of these tampered-with QR codes hold malicious malware like computer or phone viruses. They can also direct people to malicious sites that seem innocuous at first before asking for login, location or financial information.

China was the first country to adopt a QR code system to log Covid test results and track contacts
China was the first country to adopt a QR code system to log Covid test results and track contacts AFP / Hector RETAMAL

These sites usually appear suspicious to anyone with basic internet and safety knowledge, but some will look legitimate. If it is not legitimate, simply exit the site and try not to click on any other links.

If something is suspicious, do not use the QR code. Order from a restaurant's physical menu instead of a QR code-directed site. Ask the waiter or any staff present if the QR code is meant to be on that napkin or menu holder.

For protection against these frauds, the FBI provided some advice. Check the site or app the QR code leads to. Often a malicious site will have a similar domain name, but check to make sure the name is spelled correctly without any errors and whether the site is a .com, .org, .edu, etc.

If there is a sticker placed on top of the original code, be suspicious. Download apps from an app store, not a QR code. Always verify that a QR code received is from the intended sender. The FBI also says not to download a QR scanner app as a smartphone or tablet camera works fine.

For any email saying a payment to a company failed and lists a QR code that directs to a payment site, check the email and website to make sure they are valid, but also ask the company through well-known means if they sent that email. Make sure the company providing the QR code is a trusted company with a presence outside the QR code link.

Avoid providing payment information through a site that was directed through a QR code. A person should exercise caution every time they enter a personal login, financial or personal information into a site, whether or not it is from a QR code.