FBI Portland
Portland Media Office
(503) 460-8060
October 19, 2021

Oregon FBI Tech Tuesday: Building a Digital Defense Against QR Code Scams

Welcome to the Oregon FBI’s Tech Tuesday segment. Today: Building a digital defense against QR code scams.

Let’s start with the basics. “QR” stands for “quick response.” The QR code is a square image that you can scan with your phone—usually by just pointing your camera at it. The image itself is filled with data that can do lots of helpful things, such as send you to a particular website or payment portal.

QR codes have become much more common in these COVID times. They allow restaurants to use virtual menus and vendors to accept cashless payments easily. You may find codes physically pasted about or virtually embedded into ads, emails, or online. They are easy to create and, unfortunately, easy to hack.

The FBI is starting to get reports of people who are falling victim to QR code scams, including some who are losing money. One area of particular concern—frauds involving cryptocurrency. Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks.

If you happen to scan a scammer’s bad code, you could end up giving him access to your device. He can access your contacts, download malware, or send you to a fake payment portal. Once there, you can inadvertently give him access to your banking and credit card accounts. If you make a payment through a bad QR code, it’s difficult if not impossible to get those funds back.

Here’s how to protect yourself:

  • Do not scan a randomly found QR code.
  • Be suspicious if, after scanning a QR code, the site asks for a password or login info.
  • Do not scan QR codes received in emails unless you know they are legitimate. Call the sender to confirm.
  • Some scammers are physically pasting bogus codes over legitimate ones. If it looks as though a code has been tampered with at your local bar or restaurant, don’t use it. Same thing with legitimate ads you pick up or get in the mail.

Finally, consider using antivirus software that offers QR readers with added security that can check the safety of a code before you open the link. If you are the victim of any other online fraud, you should report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your FBI local office.