QR codes — the black and white boxes that ordinarily connect smartphones to legitimate links to track packages and pay bills — can sometimes hide dangerous scams.
In a blog post published earlier this month, the Federal Trade Commission warned that some of the seemingly ordinary QR codes consumers come across every day can send them to harmful links that steal personal information.
“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” wrote Alvaro Puig, a consumer education specialist at the FTC, in the post. “And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”
A researcher at Trellix, a cybersecurity company, told The New York Times this week the company saw more than 60,000 samples of attacks in the third quarter of 2023.
“It seems to be every year we hear more and more scammers using this software,” said Steve Bernas, president of Better Business Bureau of Chicago and Northern Illinois.
QR code scams are nothing new, Bernas said, but they became especially commonplace during the COVID-19 pandemic. The commission noted that QR codes from fraudsters might cover legitimate ones on parking meters or come in a text message.
Bernas added that scams might also look like a romantic email from someone in “dire need” of money or a utility company asking after a bill.
“But there’s no way to know if a QR code is a scam by looking at it,” he said.
“The scams are insidious, and we can all be victims,” said Neil Klingensmith, an associate professor of computer science at Loyola University Chicago.
QR codes in phishing emails, which targets consumers by appearing to be from a well-known source like Amazon, can infect phones with malware, allowing scammers to access the victim’s personal information.
While people with less tech savvy might be more susceptible, a well-crafted scam that looks like an email from Google has the potential to fool most people.
“A few years back, a good friend of mine from college clicked on a link from a phishing email and was about to type in his Google password before I stopped him,” said Klingensmith.
The best way to avoid QR code scams, Bernas said, is to avoid using QR codes or links when their origin is unknown. Don’t use QR codes from strangers or from emails or texts that weren’t expected. Always go to the website of utility or government entities to pay bills. Check for tampering on QR codes found in public areas.
Consumers should also use strong passwords and two-factor authentication to protect any online accounts, so it’s harder for scammers to access personal information even if they access the system, he said.
“The only reason scams keep increasing is because it works,” Bernas said. “I’ve been doing this for 36 years, and every year I see the same thing. It’s like every year it’s the wild west all over again.”