If you’re often trying to stay up on the latest scams, so you don’t someday become a cautionary tale where you share a story with your friends about having your bank account emptied and your identity stolen, you’ll want to start paying attention to QR code scams.
Criminals have some pretty ingenious ways to rip off the public. If they weren’t causing so much havoc and evil, you’d almost have to admire their creativity and give out awards for the best or worst in scams. Con artists have gone far beyond the days of spamming people with emails that have suspicious-looking links in them or calling older adults and pretending to be a grandchild in jail and needing bail money.
So what are QR code scams, and how do you spot them? We’ll explain ― and without making you scan a QR code.
What are QR codes?
Even if you don’t know what a QR code is, you’ve seen them. They’re those bar codes with black and white squares and lines; you use your phone’s camera to scan them, and then suddenly, you’ve got a website opening up on your phone, or maybe you’re being given a coupon to a restaurant. Reputable businesses and organizations use QR codes all the time, and during the onset of the pandemic, many restaurants began using them instead of physical menus.
What are QR code scams?
The QR code scam is afoot when a cybercriminal posts a QR code that looks like it’s coming from a reputable brand, organization or individual, then a perfectly nice person (that would be you) scans the code into their phone, and something bad happens, like you’ve just installed malware on your phone.
That could mean your phone is suddenly inoperable, or maybe worse: The phone seems to work fine, but a hacker can now access your personal information.
Being the victim of a QR code scam can be a terrible situation, according to Maria-Kristina Hayden, CEO and founder of OUTFOXM, Inc., a cyber hygiene and resiliency company based in New York City.
“Not only can QR codes act as malicious links, bringing you to a nefarious website or downloading malware, but they can also be programmed to make calls and send messages to your contacts,” Hayden said. “A client of mine scanned a QR code that surreptitiously wrote and sent emails from his account to his entire contact list. The emails contained malicious links that sought to harvest recipients’ bank login information… and friends and family clicked because of the well-worded disguise.”
You are alarming me. How likely will I be scammed by a QR code, really?
We aren’t trying to worry anyone. We’re just informing you of the latest and not-so-greatest when it comes to the extremes crooks go to make a person’s life miserable.
There aren’t statistics for how many QR code victims there are, but InsiderIntelligence.com suggested that in 2022, 83.4 million Americans scanned a QR code. There are enough anecdotes out there that should give you some pause before you randomly scan any ol’ QR code into your phone. It’s common enough that warnings have been issued by the FBI, the Michigan Attorney General’s office, Better Business Bureau, and so forth.
For example, you may risk being duped by a fake QR code when you are…
Parking your car. Imagine going to a city or town’s parking meter or municipal parking lot where you’re supposed to scan a QR code, which will open up the parking lot or meter’s website, allowing you to book and pay for your parking.
Now imagine discovering later that, huh, what do you know, scammers covered up the authentic QR code with a sticker featuring their own fake QR code.
This is a fairly big problem.
The QR code parking scam has hit parking meters and lots in Myrtle Beach, in and around Atlanta, Baton Rouge, Portland, Maine, and… well, no need to mention every city in the country. You get the point. As if finding a good, affordable parking space isn’t hard enough. Now we all have to worry about being ripped off by fake parking QR codes.
Eating at a restaurant. Ani Chaudhuri, CEO at Dasera, a software security company in Mountain View, California, said that he has a friend who works in cyberfraud prevention who shared a story about a diner in a busy city.
The diner, Chaudhuri said, downloaded a QR code “for a contactless menu.” Unfortunately, the QR menu code was fake.
“Scammers placed their own malicious QR sticker over the restaurant’s legitimate one. Unsuspecting customers scanned the code, leading them to download malware, effectively compromising their personal information,” Chaudhuri said.
Drinking tea. Yes, the scammers are even coming for your tea. This belongs in our “restaurant” example, but we’re trying to make an easy-to-skim list. Earlier this year, a woman in Singapore went to a bubble tea shop and saw a sticker pasted on the front door. The sticker said that if customers scanned the QR code and completed an online survey, they’d get a free cup of milk tea. That night, scammers entered the woman’s bank account and took $20,000.
It’s easy to see why the customer was duped; a sticker on the front door of a business would look legit. It’s also understandable that the business owner or staff wouldn’t immediately notice a sticker on the front door. Who would think to look for such a thing?
Paying a bill. Some crooks have sent emails, posing as utility companies or perhaps representatives from the Social Security Administration or IRS. In these scams, the crook will claim that you’ve neglected to pay a bill and tell you that you’re about to be arrested, have your utilities shut off, or something else horrifying.
You can imagine an older adult perhaps being alarmed and sucked into this scam. In any case, the utility “worker” will then tell the victim that the regular payment portal is offline (which should be a huge red flag), but they can submit payment and make everything right by scanning the handy dandy QR code that the crook has just sent.
And that’s part of the ingenuity of these scams. Fake QR codes look authentic and professional. It recently happened in San Francisco with traffic ticket payments.
Here’s how to avoid being a victim of a QR code scam.
Never use a QR code again. No, that seems impractical and kind of sad since you’d be removing yourself from what’s becoming an integral part of our digital society. So don’t do that.
Instead, you have a few other options.
Stay on guard. Just as you aren’t giving up on email, texting, or using your phone (all ways that con artists try to fleece their victims), you’ll want to think about the circumstances revolving around this QR code before automatically scanning it.
If you get a QR in an email, you’ll want to look hard at the email before you scan it. It may well be a genuine email, but some criminals send emails that they hope to look like they’re from a real company, hoping you’ll scan the QR code to get a coupon. Also, most businesses encourage customers to go to their app to download a QR code rather than send an email with a QR code to scan.
And then, if you scan the QR code, and it takes you to a website, take a hard look at that, too.
“Check carefully, as they may choose closely related URLs. For example, they may change a single letter from the legitimate URL, or they may change a .com to a .net, for example,” Gardener said.
Or maybe you can see the URL starts with http:// instead of https://. The lack of that “s” doesn’t automatically mean it’s a bad website, but it’s not a good sign. An “s” at the end means the site has extra security around any data shared between your device and the website.
You could get a QR code scanner app. There are free and low-cost QR code scanners out there, where you open the app and then, with that, scan the QR code, and if it’s a fake, you’ll be alerted. It’s like getting the software to keep malware away from your computer; only these QR code scanner apps keep the fake QR codes at bay.
The only problem with this strategy? Fake QR code scanner apps exist, too.
Still, Gardner and Hayden said, as do many cybersecurity experts, that as long as you’re working with a reputable QR code scanner, it can be a good way to have an extra layer of protection. Hayden noted that some big-name antivirus companies also offer QR code scanners.
Keep your phone updated with security patches. That may help combat malware if you do wind up downloading something malicious.
The bottom line on QR code scams.
If you scan a fake QR code and realize that you’re at a fake website, don’t panic, but close the website immediately. The fake QR code shouldn’t hurt your phone. It’s what comes next that generally will put you in a fix. For instance, do you click on something on a fake website that downloads malware? Do you end up offering thieves personal information as you fill out a form?
“QR codes, while convenient, have opened up another avenue for scammers to exploit the unwary,” Chaudhuri said.
And if we want to keep from becoming a cautionary tale, it’s up to all of us to be wary.