FBI Warning—If You Ever See This QR Code, It’s An Attack
You have been warned — do not click.
NurPhoto via Getty Images
QR codes are everywhere. Whether paying for parking, opening a menu or connecting to WiFi, pointing your camera at a code and opening a link is now the norm. But the FBI warns one type of QR code is high-risk and you must always avoid.
QR code attacks are not new. We have malicious codes included in phishing PDF files to bypass security filters, printed and stuck to parking meters, even sent in the mail. The latest scam is just as simple. And it all starts with a delivery at your home.
Criminals are sending “unsolicited packages,” the bureau says, which contain a QR code “that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone.” If you receive an unexpected package with no sender details and a QR code, it’s one of these attacks.
To trick you into scanning the code, “the criminals often ship the packages without sender information.” The FBI says this is similar to “brushing scams,” where you’re sent a product you didn’t order, enabling a criminal to post an online review on your behalf.
There are many reasons to “beware of unsolicited packages containing merchandise you did not order,” but you’ll be tempted to open the package given it will have your address. But “do not scan QR codes from unknown origins,: the FBI says. And “beware of packages that do not include sender information.”
QR codes look benign but they’re not. Zimperium’s Nico Chiaraviglio warns that research shows that attackers are increasingly leveraging multiple mobile-specific channels—including SMS, email, QR codes, and voice phishing (vishing) — to exploit user behaviors and expand their attack surface.”
This latest FBI warning comes just as citizens are told voice message attacks impersonating well-known individuals to entice engagement are also surging. And we have seen countless SMS warnings over the last 12-months (1,2,3)
“If you believe you are the target of a brushing scam,” the FBI says you should “secure your online presence by changing account profiles and request a free credit report from one or all the national credit reporting agencies.”