QR codes can eat your lunch, FBI warns

The bureau's Internet Crime Complaint Center (IC3), issued a general alert Tuesday about "malicious" QR codes that reroute unsuspecting consumers.
QR code, restaurant
A QR code at a restaurant in San Jose, California, December 18, 2021. (Photo by Gado/Getty Images)

QR codes are among the few “winners” of the coronavirus pandemic, the joke goes, because restaurants and other businesses have deployed them in far greater numbers over the past few years, in an effort to make more interactions contactless.

The FBI is warning, however, that scammers love them, too.

The bureau’s Internet Crime Complaint Center (IC3), issued a general alert Tuesday about “malicious” QR codes that reroute unsuspecting consumers to the world of cybercrime.

“[C]ybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the announcement says.


The FBI’s warning is the latest in a long string of advisories from cybersecurity researchers or government agencies about the threat posed by QR codes. Last week, Ars Technica reported on fake QR codes that were stuck on parking meters in Texas cities, with the goal of intercepting payments.

In October 2021, scammers were spotted using them as part of a phishing campaign. Earlier last year, the U.S. Army issued a warning. Other alerts pointed to bitcoin scams, And at least one barcode scanner app became notorious for carrying malware itself.

The FBI’s release didn’t cite any examples of such activity, but said the trickery usually comes through QR codes that have been altered, either onscreen or on a printed page.

“A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the FBI said. The bureau did not respond to a request from CyberScoop to provide more detail.

The bureau is warning consumers to double-check any URL generated by a QR code, and to be cautious about using them in general, especially for making payments.

Latest Podcasts