FBI: Hackers Are Compromising Legit QR Codes to Send You to Phishing Sites

pcmag.com:

Watch out for fake QR codes at your favorite restaurant or shop. The FBI is warning that cybercriminals have been tampering with legitimate QR codes to try and trick unsuspecting users into loading up scam websites. 

On Tuesday, the FBI issued the alert, warning that cybercriminals have been targeting both physical and digital QR codes. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the agency added. 

The scheme exploits how QR codes have grown in popularity during the pandemic as a contactless way to access information. This can include scanning a QR code to view a restaurant’s menu or even place an order. 

“However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use,” the FBI said. 

The tactic is basically a spin-off of phishing scams, in which hackers use fake emails and messages from legitimate companies to trick victims into giving up their password or downloading malware. The culprits are now pasting their phishing scams on top of legitimate QR codes, including those found on parking meters, as police in Texas recently found.   

The FBI added that QR codes “are not malicious in nature.” The technology is really just a barcode; once scanned, it will decode into a URL your smartphone can visit with a single tap. It’s that URL that could lead you to a phishing website or malware posing as an app. 

As a result, the FBI is urging users to double-check the URL from a scanned QR code to “make sure it is the intended site