QR codes emerged as a popular tool during the COVID-19 pandemic in restaurants, to pay for items and exchange funds, and even to board a flight. Our smartphones are equipped with technology to scan these codes, making them easy to use — as well as manipulate.
According to a recent Federal Trade Commission (FTC) report, scammers have taken to using these seemingly harmless QR codes in “countless” ways to obtain information from unsuspecting victims by inserting harmful links inside them.
“A scammer’s QR code could take you to a spoofed site that looks real but isn’t. And if you log in to the spoofed site, the scammers could steal any information you enter,” according to the report. In another situation, “the QR code could install malware that steals your information before you realize it.”
How to spot QR code scams
In its report, the FTC shared some circumstances under which the QR code that you are about to scan could potentially be bogus. The fraud can be carried out in person and/or sent through your phone. It can involve scammers who:
- Cover up legitimate QR codes on parking meters and replace them with their own bogus codes.
- Pose as delivery service people during the holiday season who falsely report an issue with your order or delivery.
- Falsely claim there is suspicious activity with one of your accounts and that you need to re-enter or change your information.
Popular holiday scams
It’s an especially vulnerable time of year with the holidays and an uptick in shopping, deliveries and expenditures. Scammers are all too keen to take advantage of these facts, as noted in a recent Visa scam alert.
“Crooks prepare all year for the holiday shopping season, taking advantage of increased activity and consumers who let their guard down [while] searching for the perfect gift,” Paul Fabara, Visa chief risk officer, said in the alert.
Kiplinger recently reported on a number of other consumer fraud alerts this time of year. These include a package delivery scam targeting shoppers, as well as a warning about scammers pretending to be from your utility company.
There's also a new artificial intelligence (AI)-based voice cloning scam that has regulators scrambling for solutions. Fraudsters are using AI technology on phone calls to trick people into believing that, for instance, there is an emergency involving a loved one that requires urgent action.
What to do
It’s important to stay especially diligent this time of year as you may see even more QR codes than usual — legitimate and otherwise.
The FTC recommends you take steps such as:
- Inspecting a QR code before opening it, especially if you see it somewhere unexpected. “If it looks like a URL you recognize, make sure it’s not spoofed — look for misspellings or a switched letter,” the FTC said.
- Being wary of QR codes delivered through email or text, especially if they are marked as urgent. The agency recommends that you contact the company directly through its email address or listed phone number to see if the message is legitimate.
- Ensuring that your phone is up-to-date with protective updates and use strong passwords and multi-factor authentication for your accounts.
The FTC also encourages people to submit a report if they believe they were scammed or think they have seen a scam.
The agency said it will share reports with more than 2,800 law enforcers and, while it cannot resolve individual reports, it uses them to investigate and bring cases against fraud, scams and bad business practices.