Consumers’ use and familiarity with QR codes provide businesses with the ability to direct current or potential customers to their websites, mobile apps, digital marketplaces, or anything else available on the Internet. Restaurants often use them to give their diners access to a digital menu, preventing the spread of contagion and saving the business money. Business cards can include a QR code that will direct to an online portfolio, with videos and more detailed information about the services offered than a standard business card can display. There are many legitimate and useful uses for QR codes. However, scammers are also taking note of the technology and using QR codes to carry out various schemes.
Consumer reports to the Better Business Bureau and warnings issued by police departments in cities across the country detail how certain QR codes direct users to phishing websites, fraudulent payment portals and downloads that infect devices with viruses or malware. Although the way victims are exposed to QR code fraud varies, a common theme identified in reports is that most come from unsolicited communications or from a QR code posted in a publicly accessible location.
In Previous BBB article on QR code scamswe warned that more QR scams were coming. Here are some recent ways scammers are using QR codes:
- Parking meter payment. Fraudulent QR codes are often placed on the back of parking meters, leading victims to assume they can pay for parking via the QR code if they don’t have change. Scammers can easily create a QR code for free online, which they then print on stickers and conceal an actual QR code or somewhere it makes logical sense. After paying for the space via QR code, some victims return to find that their vehicle has been towed away or given a parking ticket for non-payment, multiplying the amount of money lost.
- Cryptocurrency wallets and romance scams. The rise of cryptocurrencies has changed traditional thinking about investments, and the confusion surrounding these transactions makes it a breeding ground for scammers to wreak havoc. The trade of cryptocurrencies is done online, and the easiest way for legitimate and fraudulent merchants to direct investors to their digital wallets is to use a QR code. Recently, BBB became aware of scammers who spend months of their time establishing a romantic relationship with their victim, which ultimately leads them to seek financial assistance through a cryptocurrency exchange or “advise” victim on cryptocurrency investment. Believing that the scammer has an urgent need or has their best interest in mind, the victim follows the provided QR code and transfers the requested amount to the scammer’s digital wallet. Many victims lose thousands of dollars before finding out they are being scammed. Learn about other romance scams.
- Phishing scams. The design of QR codes prevents the user from knowing where the code will direct them after scanning, allowing scammers to send victims to phishing websites or downloads that will infect devices with malware. After scanning a code found in an email, text message or flyer, some victims are directed to a website that asks for personal information that can lead to identity theft, compromised passwords for online accounts line or downloads that track user activity on the device. Many phishing attempts start with a notification of “suspicious activity” on one of their online accounts and include a link or QR code allowing the user to verify their identity. In reality, the information provided goes to a scammer, which he then uses for other purposes. Learn more about phishing scams.
- The impostors of public services and government. Many consumers report being contacted by their utility company, the Social Security Administration, or the IRS regarding an outstanding debt that they must immediately pay in full. The representative claims that failure to pay the unpaid bill will result in either an arrest, additional fines, or the closure of access to electricity, gas or water. According to the impostor, the usual payment portal for these services is currently offline, but the victim can submit payment through another portal which they can easily access by following a link or scanning a QR code. The payment portal the victim is directed to often mimics the real portal down to the smallest detail, giving a false sense of security that it is legitimate. Learn more about scams by imposters.
- False sense of security. Reports to the Better Business Bureau and additional screenshots, emails and text detail how scammers include a legitimate QR code for the business or entity they claim to represent in order to give victims a fake security feeling. These QR codes lead to the organization’s official website, making victims who receive these communications more likely to believe that the scammer is a legitimate representative. Other codes will direct the victim to an “employee profile” which includes official logos, badge numbers, professional portraits, and additional information designed to allay any fears the victim may have. Once the scammer is convinced that they have convinced their target, the likelihood of the victim providing the requested information or money increases dramatically. Learn how to spot a fake website.
How to Avoid QR Scams
Confirm the QR code before scanning. If you receive a QR code from a friend via text message or social media message from a colleague, be sure to confirm with that person that they wanted to send you the code to verify that they did not been hacked. Keep in mind what you know about the person messaging you. Are they active in cryptocurrency investments, or is this post a bit out of place? How often do you talk to this person and does it make sense for them to come to you with this opportunity? Trust your intuition and avoid scanning a QR code until you know he sent it on purpose.
Do not open links from strangers. If you receive an unsolicited message from a stranger containing a QR code, BBB strongly advises against scanning it. If the message promises exciting freebies or investment opportunities on the condition that you “act now”, be even more careful. Scammers use this type of language consistently and rely on their targets to make immediate decisions before taking the time to verify its authenticity.
Beware of short links. Suppose a shortened URL appears when you hover your camera over a QR code. In this case, there is no way of knowing where it will direct you once the link is followed. Make sure you are sure the QR code is legitimate before following any short links as it may send you to a malicious website. Once on the website, look at the URL and verify that the domain and subdomain make sense to the organization supposedly operating it. Scammers often change domain and subdomains for URLs or slightly misspell a word to make websites look legitimate.
Check for tampering. Some scammers attempt to mislead consumers by altering legitimate commercial advertisements or placing stickers over the QR code. Keep an eye out for signs of tampering and, if discovered, ask the company to verify that the QR code displayed is genuine. Most businesses permanently install scannable QR codes in their establishments using laminate or placing it behind glass. They will often include the company logo in the code itself, often in the middle.
Sources: BBB.org, BBB Heart of Texas
If you’ve been the victim of a QR scam, report it to BBB.org/ScamTracker. The information provided may prevent another person from becoming a victim. To find reputable companies, go to https://www.bbb.org.
Suggest a fix