QR codes have been around for some time, but they saw an increase in usage as the COVID-19 pandemic became more serious. For example, the square black and white images made it safer for people to view a restaurant’s menu. Instead of physically handling it, they can see it on their phones.
But with the resurging popularity came a few scams, too. You don’t need a QR code app to follow the embedded links, but that didn’t stop scammers from releasing fake QR code apps.
Now, scammers are placing malicious QR codes in businesses across the country and sending them to unsuspecting victims in other ways. Read on for details on these tricky scams and how to avoid them.
Here’s the backstory
A QR code, or Quick Response code, is a type of barcode invented years ago. The optical label, through random patterns, stores data such as a website’s URL, a link to an app or contact information.
They work by scannning the QR code with your phone’s camera, and a link pops up with a short description. But in most cases, you have no idea where exactly it is taking you before tapping on the URL.
The Better Business Bureau (BBB) warns about malicious QR codes being used by scammers across the U.S. BBB said, “Malicious QR codes direct users to phishing websites, fraudulent payment portals, and downloads that infect devices with viruses or malware.”
Here are some recent QR code scams:
- Parking meter payments – Fraudulent QR codes are often placed on the back of parking meters, leading victims to assume that they can pay for parking through the QR code if they do not have change. You’re not paying for parking at all if it’s a fraudulent QR code. Instead, you’ll be paying scammers, and your car could be towed when you return.
- Cryptocurrency wallets and romance scams – Scammers spend months building a romantic relationship with a victim, ultimately asking for financial assistance through a cryptocurrency exchange or advising the victim on cryptocurrency investments. Believing the scammer is in dire need or has their best interest in mind, the victim follows a provided QR code and transfers the requested amount to the scammer’s digital wallet.
- Phishing scams – Scammers send malicious QR codes, sending victims to phishing websites or downloads that will infect devices with malware.
- Utility and government impostors – Many victims have reported they are contacted by their utility company, the Social Security Administration or the IRS regarding an outstanding debt they must immediately pay in full. The representative claims failure to pay the unpaid bill will result in arrest, additional fines or shutting off access to electricity, gas or water. According to the scammer, the regular payment portal for these services is currently offline. But the victim can submit payment through another portal which, conveniently, they can access by scanning a QR code. The code leads to a spoofed site that will rip you off.
How to scan QR codes with your phone
Remember, you don’t need a separate app to scan QR codes. Your phone’s camera can do it automatically. But you might need to enable QR code scanning on your phone. Here’s how.
- Tap Settings.
- Scroll down and tap Camera.
- The second to last setting in the first block is Scan QR Codes. Toggle the slider to the right to enable the tool if it isn’t already enabled. It’ll be green when enabled.
- Open the camera on your Android phone.
- Tap the Settings cog.
- Choose More settings.
- Enable Google Lens suggestions.
For Samsung phones:
- Swipe down your screen to access your Quick Settings and tap on QR Scanner.
- Tap OK to proceed to the next step.
- The Camera app will be launched where you can scan QR codes. Once the QR Code is scanned, you should be able to launch the webpage below.
- You may need to enable this setting if the QR Code cannot be scanned. Tap on the Camera Settings icon button.
- Toggle on Scan QR codes.
Now that QR code scanning is enabled, you should be able to open the camera on your phone and point at a QR code to get the link. It’s that easy.
Avoiding QR code scams
Here are suggestions from the BBB to avoid QR code scams:
- Confirm QR code before scanning – If you receive a QR code from a friend via text or a message on social media, be sure to confirm with that person they meant to send you the code to verify they have not been hacked.
- Do not open links from strangers – If you receive an unsolicited message from a stranger that includes a QR code, don’t scan it! Be even more cautious if the message promises exciting gifts or investment opportunities under the condition you act now. Scammers use this type of language consistently and rely on their targets to make immediate decisions before taking the time to verify its authenticity.
- Be wary of short links – Imagine a shortened URL appears when hovering your camera over a QR code. If it does, there is no way of knowing where it will direct you once clicked. Ensure the QR code is legitimate before following short links, as it may send you to a malicious website. Pro tip: Once on the website, look at the URL and verify that the domain and subdomain make sense for the organization that operates it. Scammers often switch the domain and subdomains for URLs or slightly misspell one word to make websites appear legitimate.
- Check for tampering – Some crooks try to mislead you by altering legitimate business ads or placing stickers on QR codes. Keep an eye out for signs of tampering and, if discovered, have the business check that the posted QR code is legit. Most businesses permanently install scannable QR codes in their establishments using laminate or placing it behind glass. They will sometimes include its logo in the code, often in the middle.
If you’ve been the victim of a QR scam, report it at BBB.org/ScamTracker. Information provided may help prevent others from falling victim.