Phishing scams typically come in the form of a malicious link in a suspicious email.  However now, in a new warning from the FBI, cybercriminals are tampering with legitimate QR codes to try and trick users into navigating to scam websites.

In the FBI alert, they note that criminals have been tampering with both physical and digital QR codes. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

QR codes have had a resurgence in popularity throughout the pandemic as they’ve provided a way for contactless access to information. As an example, QR codes have been used in restaurants as a way for patrons to view a menu, or even place an order simply by using their phone.

“However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the FBI said.

They add that QR codes “are not malicious in nature.” It’s the URL that you’re redirected to that can lead to a dangerous phishing website or malware posing as an app.

The FBI is suggesting users who scan a QR code double-check the URL to “make sure it is the intended site and looks authentic.” If there are typos or misplaced letters, it may be a phishing scheme.

“If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code,” the FBI added. “Do not download an app from a QR code. Use your phone’s app store for a safer download.”

When in doubt, you can also manually enter a known and trusted URL into your smartphone, rather than scan the QR code.

Story via PC Magazine