Malicious QR Codes Are Wreaking Havoc

January 24, 2022
IT and Security, News and Events
4 min read


Remember when QR codes first became a thing? It was a wild journey in the early 2010s. As smartphones pushed into the mainstream, people realized that they could imbed data (such as a URL) into an image, and that image could be scanned by the newly ever-present iPhone.

This made highly complicated URLs and website data easy to access, even when on the go.

The QR code has had a renaissance, thanks for the COVID-19 pandemic. Restaurants that wanted to avoid spreading germs by using reusable food menus, and save money on printing single-use menus, decided to add a QR code to every single table inside and outside of the restaurant.

Patrons simply scan the QR code and the menu appears on their phone.

These are also common in office settings, as links to online forums and even medical intake forms can more easily be accessed via QR code.

Of course, where any technological solutions aim to make life easier, there are bad actors looking to exploit those solutions.

Last week, the Federal Bureau of Investigation issued a public service announcement to raise awareness of an increase in the use of malicious QR codes by cybercriminals.

As the FBI noted in their PSA, “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code, but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

A recent example of this involved the theft of banking credentials in Germany using QR codes.

Included in the PSA is a list of tips, including:

  • Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
  • Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
  • If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
  • Do not download an app from a QR code. Use your phone’s app store for a safer download.
  • If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company’s phone number through a trusted site rather than a number provided in the email.
  • Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
  • If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
  • Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.

You make think that this is only an issue when you are, for example, at the bank. Or in your doctor’s office. But this isn’t the case.

Bad actors may leave a QR code in the place of a restaurant’s menu QR code. The code may direct you to a malicious website, or even just be an interim website asking for your name and email, with which the bad actor may try to gain further information from you later.

Be cautious and always check a website’s information. If you have doubts about a site’s authenticity, it’s better to be on the safe side.