The use and consumer familiarity with QR codes present an opportunity for businesses to direct current or potential customers to their websites, mobile apps, digital marketplaces, or anything else available on the internet. Restaurants often use them to allow their diners to access a digital menu, preventing the spread of contagions and saving the business money. Business cards can include a QR code that will direct to an online portfolio, complete with videos and more in-depth information about the services offered than what a standard business card can display. There are many legitimate and helpful uses for QR codes. However, scammers are also taking note of the technology and using QR codes to carry out various schemes.
Consumer reports to Better Business Bureau and warnings issued by police departments in cities across the nation detail how some QR codes direct users to phishing websites, fraudulent payment portals, and downloads that infect devices with viruses or malware. While the way victims are exposed to QR code fraud varies, a common theme identified in reports is that most come from unsolicited communications or a QR code posted in a publicly accessible location.
In BBB's previous article on QR code scams, we warned that more QR scams would come.
Here are some recent ways scammers are using QR codes:
Parking meter payment: Fraudulent QR codes are often placed on the back of parking meters, leading victims to assume that they can pay for parking through the QR code if they do not have change. Con artists can easily create a QR code for free online, which they then print on stickers and either cover up an actual QR code or place where it makes logical sense. After paying for the spot through the QR code, some victims return to find their vehicle has been towed or received a parking ticket for non-payment, multiplying the amount of money lost.
Cryptocurrency wallets: The rise of cryptocurrencies has altered traditional thinking about investments, and the confusion surrounding these transactions makes it a ripe ground for scammers to take their toll. The trading of cryptocurrencies is conducted online, and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code.
Romance scams: Scammers will spend months of their time building a romantic relationship with their victim, which ultimately results in them asking for financial assistance through a cryptocurrency exchange or ‘advising’ the victim on cryptocurrency investment. Believing that the scammer is in dire need or has their best interest in mind, the victim follows the provided QR code and transfers the requested amount to the scammer’s digital wallet. Many victims lose thousands of dollars before they discover they are being scammed. Read about other romance scams.
Phishing scams. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning, allowing scammers to send victims to phishing websites or downloads that will infect devices with malware. After scanning a code found in an email, text or on a flyer, some victims are directed to a website that requests personal information that can lead to identity theft, compromised passwords for online accounts or downloads that track the user’s activity on the device. Many phishing attempts begin with notification of ‘suspicious activity' on one of their online accounts and include a link or QR code for the user to verify their identity. In reality, the information provided is going to a scammer, which they then use for other purposes. Read more on phishing scams.
Utility and government impostors. Many consumers report they are contacted by their utility company, the Social Security Administration or the IRS regarding an outstanding debt they must immediately pay in full. The representative claims that failure to pay the unpaid bill will result in either arrest, additional fines or shutting off access to electricity, gas or water. According to the impostor, the regular payment portal for these services is currently offline, but the victim can submit payment through another portal which, conveniently, they can access by following a link or scanning a QR code. The payment portal the victim is directed to often mimics the real portal down to the finest detail, providing a false sense of security that it is legitimate. Learn more about impostor scams.
False sense of security. Reports to Better Business Bureau and additional screenshots, emails, and texts detail how scammers include a legitimate QR code for the company or entity they are claiming to represent to give victims a false sense of security. These QR codes route to the official website for the organization, leading victims in receipt of these communications to more likely believe that the scammer is a legitimate representative. Other codes will direct the victim to an ‘employee profile’ that includes official logos, badge numbers, professional headshots and additional information designed to ease any fears the victim may have. Once the scammer is confident that they have convinced their target, the likelihood that the victim will provide whatever information or money is requested drastically increases. Learn how to spot a fake website.
How to avoid QR scams
Confirm QR code before scanning. If you receive a QR code from a friend via text or a message on social media from a workmate, be sure to confirm with that person they meant to send you the code to verify they have not been hacked. Keep in mind what you know about the person messaging you. Are they active in cryptocurrency investments, or is this message a little out of character? How often do you talk to this person, and does it make sense they would come to you with this opportunity? Trust in your intuition and avoid scanning any QR code until you know they sent it on purpose.
Do not open links from strangers. If you receive an unsolicited message from a stranger that includes a QR code, BBB strongly recommends against scanning it. If the message promises exciting gifts or investment opportunities under the condition you ‘act now,’ be even more cautious. Scammers use this type of language consistently and rely on their targets to make immediate decisions before taking the time to verify its authenticity.
Be wary of short links. Suppose a shortened URL appears when hovering your camera over a QR code. In that case, there is no way of knowing where it will direct you once the link is followed. Make sure you are confident that the QR code is legitimate before following short links, as it may send you to a malicious website. Once on the website, look at the URL and verify the domain and subdomain make sense for the organization that supposedly operates it. Scammers often switch around the domain and subdomains for URLs or slightly misspell one word to make websites appear legitimate.
Check for tampering. Some scammers attempt to mislead consumers by altering legitimate business ads or placing stickers on the QR code. Keep an eye out for signs of tampering and, if discovered, have the business check that the posted QR code is genuine. Most businesses permanently install scannable QR codes in their establishments using laminate or placing it behind glass. They will often include the business’s logo in the code itself, often in the middle.
If you’ve been the victim of a QR scam, report it at BBB.org/ScamTracker. Information provided may prevent another person from falling victim.