Never Use Your Phone to Do This, FBI Says in New Warning
The agency is alerting the public to a new type of scam that could cost you dearly.
Just over a decade ago, your phone was an essential device that you used to reach people and stay in touch with friends and loved ones. Now, the small device in your pocket is capable of everything from streaming movies or live TV, buying your groceries for the week, booking a flight with a few taps of your finger, or even unlocking your home's front door. But even as technology has made our lives more convenient in some ways, it's also made us more vulnerable—including a new type of cybercrime involving your phone that the Federal Bureau of Investigation (FBI) is warning the public about. Read on to see what has the top law enforcement agency so concerned.
The FBI is warning that you should never use your phone to scan untrusted QR codes in public.
Even though they've been around for more than a decade, QR codes became more commonly used during the COVID-19 pandemic. Now, they've become so commonplace that one was used in a viral commercial during this year's Super Bowl. But while they can be handy for looking at a restaurant's menu or visiting your favorite shop's online store within seconds, criminals can also use them for nefarious purposes. The FBI is warning that scammers are now using the scannable symbols to take advantage of unsuspecting victims in some cases.
In a public service announcement released on Jan. 18, the agency said that despite plenty of legitimate uses, "cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use."
Criminals will sometimes tamper with legitimate codes to steal information from victims or upload malware to your device.
According to authorities, the recent uptick in QR codes has brought an increase in related crime with it. In many such cases, scammers will tamper with signage and replace a legitimate QR code with one that sends customers to a different website altogether. Victims are then duped into entering their personal information or credit card number, which the scammer can then use to steal funds or commit identity theft.
In some cases, fraudsters can also use the tactic to break into your phone. "Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim's mobile device and steal the victim's location as well as personal and financial information," the FBI warns. "The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts."
Criminals have used QR codes to steal funds and information in a parking-related scam.
Scammers have already taken to using QR codes in some surprising ways. On Dec. 20, the San Antonio Police Department issued a public warning that fraudsters were sticking the scannable squares to public meters, saying that "people attempting to pay for parking using those QR codes may have been directed to a fraudulent website and submitted payment to a fraudulent vendor." Unsuspecting victims who used the codes while attempting to pay for parking were actually handing over their credit card information to fraudsters. Unfortunately, police also reported similar parking scams to have taken place in Austin and Houston.
"We don't use QR codes at all for this very reason, because they are easy to fake or place on the devices," Jason Redfern, Austin parking division manager, told local NBC affiliate KXAN. "And we heard from industry leaders that this would be a possibility," adding that the city only accepts payments of cash, coins, or credit card at the meter or through the use of the city's mobile payment app.
Authorities warn only to scan QR codes you can trust and to double-check the site it sends you to.
The FBI is cautioning the public that while they can still count on QR codes to be safe in most cases, there are a few tips to follow to make sure they don't fall victim to a scam. The agency recommends only scanning codes from a trusted source, such as inside a reputable business, and always ensuring it hasn't been tampered with or altered with a sticker. You should also double-check the address of any website you're sent to via QR code and only ever enter personal or financial information when you verify you're on the webpage. When in doubt, manually enter the address of the website you're trying to visit to make sure you're not being misdirected.
The agency also warns that you should never download an app from a QR code, opting to use your phone's native app store instead. You should also avoid scanning any codes sent to you in an email requesting payment from a company. As always, you should look up the number of the company in question and contact them before handing over any information.