There are many legitimate and helpful uses for QR codes. However, scammers also note the technology and use QR codes to carry out various schemes.
Consumer reports to BBB and warnings issued by police departments in cities nationwide detail how some QR codes direct users to phishing websites, fraudulent payment portals, and downloads that infect devices with viruses or malware. While the way victims are exposed to QR code fraud varies, a common theme identified in reports is that most come from unsolicited communications or a QR code posted in a publicly accessible location.
How this scam works
Parking meter payment. Fraudulent QR codes can be placed on the back of parking meters, leading victims to assume they can pay for parking through the QR code if they do not have change. After paying for the spot through the QR code, some victims might return to find their vehicle has been towed or received a parking ticket for non-payment, multiplying the amount of money lost. Read more about this scam.
Cryptocurrency wallets and romance scams. Scammers spend months building a romantic relationship with their victim, which ultimately results in them asking for financial assistance through a cryptocurrency exchange or ‘advising’ the victim on cryptocurrency investment. The victim follows the provided QR code and transfers the requested amount to the scammer’s digital wallet. Many lose thousands of dollars before they discover they are being scammed. Read about other romance scams.
Phishing scams. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning, allowing scammers to send victims to phishing websites or downloads that will infect devices with malware. Many phishing attempts begin with a notification of ‘suspicious activity’ on one of their online accounts and include a link or QR code for the user to verify their identity. In reality, the information provided goes to a scammer. Read more on phishing scams.
Utility and government impostors. Many consumers report their utility company or a government agency contacts them regarding an outstanding debt they must immediately pay in full or else face arrest, additional fines, or shutting off access to utilities. According to the impostor, the regular payment portal for these services is currently offline, but the victim can submit payment through another portal which they can access by scanning a QR code. The payment portal the victim is directed to often mimics the real portal down to the finest detail, providing a false sense of security that it is legitimate.
Business owners report receiving letters in the mail from government agencies regarding the “Corporate Transparency Act”,” labor laws, or other business-related filing requirements. The letters include a QR code to scan to complete these “reporting requirements,” but these letters are fake and the QR code may link to a suspicious webpage. Learn more about impostor scams.
False sense of security. Reports to BBB detail how scammers include a legitimate QR code for the company or entity they claim to represent to give victims a false sense of security. These QR codes route to the official website of the organization, leading victims in receipt of these communications to be more likely to believe that the scammer is a legitimate representative. Other codes will direct the victim to an ‘employee profile’ that includes official logos, badge numbers, professional headshots, and additional information designed to ease the victim’s fears. Learn how to spot a fake website.
How to avoid similar scams
Confirm the QR code before scanning. If you receive a QR code from a friend via text or a message on social media from a workmate, confirm with that person they meant to send you the code. Avoid scanning any QR code until you know they sent it on purpose.
Do not open links from strangers. If you receive an unsolicited message from a stranger that includes a QR code, BBB strongly recommends against scanning it. If the message promises exciting gifts or investment opportunities under the condition you ‘act now,’ be even more cautious.
Be wary of short links. Suppose a shortened URL appears when hovering your camera over a QR code. In that case, there is no way of knowing where it will direct you once the link is followed. Ensure you are confident that the QR code is legitimate before following short links, as it may send you to a malicious website.
Check for tampering. Some scammers attempt to mislead consumers by altering legitimate business ads or placing stickers over the QR code. Keep an eye out for signs of tampering and, if discovered, have the business check that the posted QR code is genuine.