The use and consumer familiarity with QR codes present an opportunity for businesses to direct current or potential customers to their websites, mobile apps, digital marketplaces or anything else available on the internet. Business cards can include a QR code that will direct to an online portfolio, complete with videos and more in-depth information about the services offered than what a standard business card can display.
There are many legitimate and helpful uses for QR codes. However, scammers are also taking note of the technology and using QR codes to carry out various schemes.
QR codes can direct users to phishing websites, fraudulent payment portals and downloads that infect devices with viruses or malware.
While the way victims are exposed to QR code fraud varies, a common theme identified in reports to Better Business Bureau is that most come from unsolicited communications or a QR code posted in a publicly accessible location.
Here are some recent ways scammers are using QR codes:
Parking meter payment. Fraudulent QR codes often are placed on the back of parking meters, leading victims to assume they can pay for parking by using the code if they do not have change. Con artists easily can create a QR code for free online, which they then print on stickers and either cover up an actual QR code or place where it makes logical sense. After paying through the QR code, some victims return to find their vehicle has been towed or received a parking ticket for non-payment, multiplying the amount of money lost.
Cryptocurrency wallets. The rise of cryptocurrencies has altered traditional thinking about investments and the confusion surrounding these transactions makes it a ripe ground for scammers to take their toll. The trading of cryptocurrencies is conducted online and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code.
Romance scams. Recently, BBB has become aware of scammers who spend months of their time building a romantic relationship with their victim, which ultimately results in them asking for financial assistance through a cryptocurrency exchange or advising the victim on cryptocurrency investment. Believing the scammer is in dire need or has their best interest in mind, the victim follows the provided QR code and transfers the requested amount to the scammer’s digital wallet. Many victims lose thousands of dollars before they discover they are being scammed.
Phishing scams. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning, allowing scammers to send victims to phishing websites or downloads that will infect devices with malware. After scanning a code found in an email, text or on a flyer, some victims are directed to a website that requests personal information that can lead to identity theft, compromised passwords for online accounts or downloads that track the user’s activity on the device.
Utility and government impostors. Many consumers report they are contacted by their utility company, the Social Security Administration or the IRS regarding an outstanding debt they must immediately pay in full. The representative claims failure to pay the unpaid bill will result in either arrest, additional fines or shutting off access to electricity, gas or water. According to the impostor, the regular payment portal for these services is currently offline, but the victim can submit payment through another portal which, conveniently, they can access by following a link or scanning a QR code. The payment portal the victim is directed to often mimics the real portal down to the finest detail, providing a false sense of security that it is legitimate.
False sense of security. Reports to BBB and additional screenshots, emails and texts detail how scammers include a legitimate QR code for the company or entity they are claiming to represent to give victims a false sense of security. These QR codes route to the official website for the organization, leading victims in receipt of these communications to more likely believe that the scammer is a legitimate representative. Other codes will direct the victim to what appears to be an employee profile that includes official logos, badge numbers, professional headshots and additional information designed to ease any fears the victim may have. Once the scammer is confident that they have convinced their target, the likelihood that the victim will provide whatever information or money is requested drastically increases.
The BBB offers these tips for avoiding a QR scam.
• Confirm QR code before scanning. If you receive a QR code from a friend via text or a message on social media from a workmate, be sure to confirm with that person they meant to send you the code to verify they have not been hacked.
• Do not open links from strangers. If you receive an unsolicited message from a stranger that includes a QR code, BBB strongly recommends against scanning it. If the message promises exciting gifts or investment opportunities under the condition you act now, be even more cautious.
• Be wary of short links. Suppose a shortened URL appears when hovering your camera over a QR code. In that case, there is no way of knowing where it will direct you. Make sure you are confident the QR code is legitimate before following short links, as it may send you to a malicious website. Once on the website, look at the URL and verify the domain and subdomain make sense for the organization that supposedly operates it. Scammers often switch around the domain and subdomains for URLs or slightly misspell one word to make websites appear legitimate.
• Check for tampering. Some scammers attempt to mislead consumers by altering legitimate business ads or placing stickers on the QR code. Keep an eye out for signs of tampering and, if discovered, have the business check that the posted QR code is genuine. Most businesses permanently install scannable QR codes in their establishments using laminate or placing it behind glass. They may include the business’ logo in the code itself, often in the middle.
If you’ve been the victim of a QR scam, report it at BBB.org/ScamTracker. Information provided may prevent another person from falling victim.
