In an effort to minimize physical contact at businesses across the nation in response to the COVID-19 pandemic, many companies have turned to QR codes to guide customers to their apps, menus, events or package tracking services. However, BBB Scam Tracker is receiving reports of con artists who are using QR codes as a disguise to direct victims to malicious websites, prompting the user to input personal information or login credentials for the scammers to steal.
How the Scam Works
You encounter a QR code through an email, direct message on social media, text message, flyer or other marketing material that appears legitimate. After scanning the code with your phone’s camera, it may direct you to a phishing website and request the user to provide basic information to access content. Other times, con artists use QR code to automatically launch payment apps or follow a malicious social media account.
In many cases, scammers who are sending fraudulent letters or emails include the official QR code of the organization or entity they are claiming to represent to appear more credible. One victim reported this tactic to BBB Scam Tracker when they received a fraudulent letter regarding student loan consolidation.
QR codes are also a common element in cryptocurrency scams, where Bitcoin addresses are often sent via QR codes. One consumer who was contacted by a “binary and forex” trader through Instagram about an investment opportunity said, “after I had paid the withdrawal fee through the Bitcoin machine and sent it to the QR code I was provided, I received another email saying I needed to pay a cost of transfer fee. This is when I figured out that something wasn’t right.”
How to Avoid QR Scams
Confirm QR code before scanning. If you receive a QR code from a friend via text or a message on social media from a workmate, be sure to confirm with that person they meant to send you the code to verify they have not been hacked.
Do not open links from strangers. If you receive an unsolicited message from a stranger that includes a QR code, BBB strongly recommends against scanning it. If the message along with the code promises exciting gifts or investment opportunities, exercise extreme caution if you decide to interact with it.
Verify the source. If a QR code appears to come from a reputable source, it is wise to double check with the business or entity to verify its authenticity. Call or visit their official website to confirm it is legitimate and that the source of the communication is a part of the organization.
Be wary of short links. If a shortened URL appears when scanning a QR code, there is no way of knowing where the code will direct you once the link is followed. It may be a guise for a malicious website.
Check for tampering. Some scammers attempt to mislead consumers by altering legitimate business ads or by placing sticks on the QR code. Keep an eye out for signs of tampering and, if discovered, inform the business or entity to ensure the posted QR code is genuine.
Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned linked before it is opened. These apps can assist in identifying phishing websites, forced app downloads and other dangerous links.
To learn more about protecting your information online, read the BBB’s tips on data privacy and cyber security.
If you’ve been the victim of a QR scam, report it at BBB.org/ScamTracker. Your report may prevent another person from falling victim.