An earlier version of this post has been updated with new information.
We know QR codes are convenient, allowing quick access to the website or payment portal of a restaurant, parking garage, airline, government agency, or other entity. All you have to do is point your smartphone’s camera at that funny little square of black and white, and boom! You’re on your way.
But you don’t go around scanning codes willy-nilly, right? Because QR codes are easy to generate online and because they provide a way to get at the many pieces of valuable personal and financial info stored on your phone, fraudulent QR codes have, inevitably, become reliable tools in the seemingly inexhaustible arsenal at the disposal of scammers eager to snoop on you, drain your bank account, and otherwise ruin your day—or your vacation if you scan a code while on the road.
Both the Better Business Bureau (BBB) and the FBI have issued warnings that cybercriminals use QR codes sent via digital communications and posted in public places to, as the BBB puts it, “direct users to phishing websites, fraudulent payment portals, and downloads that infect devices with viruses or malware.”
Just recently in Atlanta, several residents have reported finding fake QR codes in parking garages throughout the city. As shown in social media posts and on local news stations, scammers appear to have printed the phony codes on stickers and placed them over the real QR codes intended for parking payment.
But scanning the scammy code takes people to a phishing website where their information can be stolen.
According to Lifehacker, similar code cons have been perpetrated using fake parking tickets in San Francisco and an ad for a bubble tea shop in Singapore.
To avoid scanning a fake QR code, experts recommend, first, using a sophisticated sensory device that predates even the iPhone: your index finger. Touch the code, in other words, to find out whether it’s a sticker or seems to have been tampered with in any other way. Do not scan a code that appears to have been fiddled with.
Never, but never download an app or files from a QR code. You could easily be downloading a virus or malware.
There are third-party apps for scanning QR codes with purportedly added layers of security. But the FBI discourages smartphone users from downloading those apps because you could wind up installing an untrustworthy one that downloads malware onto your device—achieving the exact opposite of what you intended.
Another option: not scanning the QR code altogether. The FBI especially advises you to take this course of action when purchasing goods and services. Instead of making a payment by navigating to a website via QR code, the agency says you should “manually enter a known and trusted URL [into your browser] to complete the payment.” Just make sure you’ve reached the legit site.
You can even try going this route in scenarios not related to payment. As Lifehacker points out, if a restaurant doesn’t dispense menus in hard copy, it’s likely you can find the menu yourself by going directly to the restaurant’s website via typing the URL into your browser rather than scanning the QR code.
That may require an extra step or two, but at least your meal won’t end in your personal info getting hacked. We don’t know about you, but we’d rather get heartburn.