Did the FBI just warn people to avoid using the restaurant menu QR code, because it can hack your phone?!
Take a look at the viral claim, and find out what the facts really are!
Claim : FBI Says Restaurant QR Code Can Hack Your Phone!
People are sharing a Daily Mail article, or screenshots of it, which claims that the FBI just warned people not to use any restaurant menu QR code because it can allow hackers to steal your data!
Here is an excerpt from the Daily Mail article. Feel free to skip to the next section for the facts!
Why you should ALWAYS ask for a physical menu: FBI warns hackers are planting fake QR CODES in restaurants that steal your data when you click the link
- Scammers are making fake QR codes to place on top of real ones
- This is letting them access smartphones and steal personal data
QR codes have become the new default for accessing restaurant menus across the US post-Covid — but scammers are seizing upon the new practice.
The FBI warns thieves are creating fake QR codes and planting them at eateries, retail shops and even parking meters.
Instead of taking you to an online menu or checkout, the links instantly download malware onto your device, stealing your location and personal information
The FBI has urged consumers to look out for typos or misplaced letters in URLs accessed through QR codes and ask restaurants for a physical menu.
Recommended : MSI Users At Risk Of Rogue BIOS / Firmware Updates!
Truth : FBI Did Not Say Restaurant QR Code Can Hack Your Phone!
This appears to be a “misunderstanding” of an actual FBI warning about QR codes. Here is what you need to know about the risks of scanning a QR code for a restaurant menu.
Fact #1 : FBI Issued QR Code Warning In January 2022
I could find no reference to a recent QR code warning by the FBI, and oddly enough, The Daily Mail did not provide a source or link to the FBI warning its article was referring to.
The FBI only released one public service announcement (PSA) about QR codes, and that was Alert Number 1-011822-PSA which was released on January 18, 2022.
If that was the source for the Daily Mail article, then it’s more than a year old, and not recent as the article appears to suggest.
Fact #2 : FBI Warned About General QR Code Risk
The FBI advisory was a general warning about the risks of tampered QR codes. Specifically, it warned about cybercriminals tampering with both digital and physical QR codes.
The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.
Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site…
Fact #3 : FBI Advisory Did Not Mention Restaurant / Menu
Interestingly, the entire FBI advisory did not once mention restaurants or menus, and that makes a lot of sense.
It is odd to focus on the risk of using QR codes for online menus in restaurants, when they are used in so many other ways today – from making mobile payments, as mobile tickets, login tokens, etc.
Any security risk involving restaurant menu QR codes would also apply to QR codes used for other purposes. So it really doesn’t make sense for the FBI to “pick on” restaurant menu QR codes.
Recommended : Can Approve New Participant block WhatsApp hackers?!
Fact #4 : QR Code Is Not Malicious In Nature
QR code (which is short for Quick Response code) is not nefarious or malicious in nature. The FB advisory specifically pointed that out – “QR codes are not malicious in nature“.
The QR code is merely a type of two dimensional barcode that was invented in 1994 by the Japanese company, Denso Wave, to track automotive parts. It has since been adopted for other purposes because it is more efficient and can support more than just numbers. For example, Version 40 QR code can contain up to 7,089 numbers or 4,296 characters.
Ultimately, a QR code is nothing more than a series of numbers or characters – data which can be used for a variety of purposes, including providing a link to an online restaurant menu.
Fact #5 : QR Code Can Be Tampered With
It is true that QR codes can be tampered with. In fact, the FBI advisory was issued after Texas police departments discovered fraudulent QR code stickers on parking meters in San Antonio and Austin. Drivers who scanned those fake QR codes were taken to a scam website. instead of the real payment website.
Hence, the FBI issued that warning to remind people to check the URL link to make sure that it is the intended website, and not a phishing page with a similar link. For example, the fake website may use www.quikpay.com when the real website is www.quickpay.com.
To completely avoid this risk, avoid using QR code to access a payment website. Always go directly to the payment website on your smartphone’s web browser by keying in the link yourself. Genuine payment labels with a QR code will often include a direct URL link for you to use as a safer alternative.
Recommended : How To Block Facebook Ads + Pay Scammers!
Fact #6 : Restaurant Menu QR Code Is Low Risk
While scammers can place fraudulent QR codes over genuine ones at restaurants, bars, and other eateries, this is a very unlikely attack vector.
That’s because restaurants often use QR codes to redirect you to an online system to order food and drinks for your table. Imagine if you scan a fraudulent QR code and are asked to key in your credit card details. That would be absurd, and you would surely complain to the waiter since you haven’t even ordered your food!
In most cases, you are not expected to pay at the table using QR code. You either pay using cash / credit card / mobile payment using QR code at the payment counter. Even if that QR code is compromised, the cashier would notice it immediately as any payment made using that QR code would not reflect in the restaurant’s point-of-sale (POS) system.
And payment only occurs after dining – a fraudulent QR code that leads you to a fake website won’t allow you to actually order anything, since it’s not connected to the real restaurant and its ordering system. That’s why this attack vector is highly improbable.
In any case, many restaurants now generate temporary QR codes on disposable paper stubs to avoid this risk. The QR code is only valid for your dining session. The next person to dine at the same table will receive a different QR code.
Fact #7 : QR Code Can Potentially Inject Malware
It is possible for QR code to inject malware into the smartphone that you are using to scan. In fact, there are apps like QRGen that allow scammers / hackers to easily generate malicious QR codes. However, it isn’t quite as simple as the article makes it out to be.
For one thing – malware and exploits are limited to specific operating systems or phone models. For example, an Android exploit / malware won’t work on iPhones. Or an exploit / malware that makes use of an Android 11 vulnerability won’t work on newer / updated Android smartphones since they would have patched the exploit.
Second – any malware will require considerable amounts of code to load. The scammer / hacker will have to use an enormous QR code like the version 40 example below, or it will need to convince you to download and install the malware package itself.
Recommended : Must You Disable Facebook Auto-Fill To Block Scams?!
Genuine restaurant menu QR codes are simple – like the version 1 / version 10 examples above, because they only serve a link to their online menu / ordering system. If you see a large and complex QR code like the version 40 example, avoid scanning it, and ask the restaurant staff to verify its authenticity.
Restaurant menu QR codes would also never ask you to download or install anything. They only serve to load a link to an online menu / ordering system, so if you are asked to download or install anything, do NOT proceed, and notify the restaurant.
These tips also apply to other businesses that use QR codes to show you a menu, discounts, offers, information, etc.
Please Support My Work!
Support my work through a bank transfer / PayPal / credit card!
Name : Adrian Wong
Bank Transfer : CIMB 7064555917 (Swift Code : CIBBMYKL)
Credit Card / Paypal : https://paypal.me/techarp
Dr. Adrian Wong has been writing about tech and science since 1997, even publishing a book with Prentice Hall called Breaking Through The BIOS Barrier (ISBN 978-0131455368) while in medical school.
He continues to devote countless hours every day writing about tech, medicine and science, in his pursuit of facts in a post-truth world.
Recommended Reading
- Microsoft : No More Windows 10 Updates, EOL In 2025!
- Malaysian Telcos Ban SMS Links To Prevent Scams!
- Can hackers use Good Morning greetings to hack you?!
- MSI Hit By $4 Million Ransomware Attack + Data Theft!
- Pinduoduo App Contains Persistent Spy Malware!
Go Back To > Cybersecurity | Money | Tech ARP
Support Tech ARP!
Please support us by visiting our sponsors, participating in the Tech ARP Forums, or donating to our fund. Thank you!