Touchless QR codes open new doors for scammers
Anyone who ventured into a restaurant during the pandemic knows that the QR code is a contactless way to look at a menu. Why keep passing around old plastic menus that can go through a ton of hands as we fight the virus?
And now, scammers want to offer you that touchless experience too.
We’re well versed on why consumers don’t want to click on links or attachments in texts or emails that arrive out of the blue. But the Better Business Bureau is warning consumers that they need to be extra careful if they’re sent a digitally readable square known as a QR code.
One victim told the BBB Scam Tracker that they received a fraudulent letter about student loan consolidation. It contained a QR code that appeared to link to the official Studentaid.gov website. The QR code also helped the letter, which was part of a fraud, appear official.
A QR code – or quick response code – is a matrix bar code that took off in the manufacturing industry after it was developed in 1994 by engineers working for Denso Wave, a Japanese auto parts supply giant.
Using the camera on a smartphone, a blob of black and white turns into a list of food and drinks on the restaurant menu, which is now on your phone.
Companies use QR codes to point consumers to their apps and track packages, too.
Don’t download malware
As the QR codes have become more commonly used, though, the BBB notes that it has received nationwide reports of con artists using the system to their advantage.
Laura Blankenship, chief of staff and director of marketing for the Better Business Bureau Serving Eastern Michigan, said locally she has not received any of QR code complaints yet but it’s likely just a matter of time.
“This is much like a phishing scams,” she said.
“Just like clicking links, you have to be careful what website you’re opening on your phone. If you’ve never heard of the organization or the website where the QR code is supposed to go to, that’s a huge red flag.”
She said the use of the QR code by scammers offers another way to steal personal information or get you to download malware onto your device.
Experts note that QR codes are a bit like a shortened URL when it comes to fraud. : A consumer isn’t going to be able to immediately see where the link will take them. So criminals can disguise their motives and abuse the technology.
The BBB alert said the scam can start via an email, a direct message on social media, a text message, a flyer, or a piece of mail that includes a QR code.
The scammers want you to scan the code with your phone’s camera. But you have no idea where the QR code could end up taking you or what the scammers might do next.
Some possible bad outcomes: The crooks can now send text messages to one or all contacts in a user’s address book; or even send a payment to a destination where it cannot be recovered, according to an alert earlier this year by the US Army Major Cybercrime Unit.
“In some scams, the QR code takes you to a phishing website, where you are prompted to enter your personal information or login credentials for scammers to steal,” the BBB warned.
“Other times, con artists use QR codes to automatically launch payment apps or follow a malicious social media account.”
Scams can differ but the crooks want you to scan the code right away. What you need to do, though, is step back and make sure any correspondence is legitimate before you scan the code. Contact the friend or co-worker directly to see what they might have sent and make sure the sender wasn’t hacked.
What are the red flags of QR code scams?
The BBB and others offer these warnings:
- Don’t open links from strangers. If you receive an unsolicited message from a stranger, don’t scan the QR code, even if they promise you exciting gifts or investment opportunities.
- Verify the source. If a QR code appears to come from a well-known company or government agency, take extra time to go to the official website to confirm it.
- Be suspicious if, after scanning a QR code, a password or login information is requested. Don’t give that extra information.
- Be wary of short links. If a URL-shortened link appears when you scan a QR code, understand that you can’t know where the code is directing you. It could be hiding a malicious URL.
- Some scammers attempt to mislead consumers by altering legitimate business ads.
- Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned link before you open it. They can identify phishing scams, forced app downloads, and other dangerous links.
Adam Levin, founder of CyberScout and author of “Swiped: How To Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves,” said consumers need to realize that QR codes are easy to print out.
“Scammers sometimes cover legitimate QR codes with bad ones,” he said.
“If you’re at an outdoor cafe and each table has a QR code linking to the menu, it’s relatively easy to replace the code with one that links to malware,” Levin warned.
“This is doubly the case if the QR code direct you to another link-shortening service such as bit.ly, which can hide the final online destination of the code.”
In general, he said, consumers need to be more cautious with the QR codes and even use them sparingly.
“Your smartphone can be a gateway to your personal data, finances and accounts,” he said. “Scanning QR codes and hoping for the best is asking for trouble.”
Overall, Levin said, it’s a good rule of thumb to turn your smartphone off and restart it regularly.
“Many forms of malware that live in your phone such as spyware depend on the device never being turned off.”