Before you scan a QR code, make sure it’s legitimate
Technology has made seemingly everything fast, convenient and easily accessible. This is certainly true of quick response (QR) codes, those ubiquitous symbols you can find on everything from restaurant menus to product packages to advertisements. When you scan QR codes with a smartphone, you can access prices, instructions, product information and even payment apps.
But as with most technologies, fraud perpetrators have found ways to exploit QR codes — and steal from consumers and businesses. Here’s what you need to know.
How thieves use them
Last year, the FBI issued an alert about QR code tampering. Fraudsters replace or alter QR codes so that users are directed to malicious websites or inadvertently download malware onto their devices. Such schemes enable fraudsters to access victims’ account usernames and passwords and personal and financial information.
Unfortunately, it’s very easy for criminals to create QR codes using online tools. They replace the codes of legitimate businesses with their own by, for example, placing stickers over existing codes. Such stickers have been found on menus, parking meters, signs in front of businesses and packaging of all kinds. Fraudsters might also include them in phishing emails or printed advertisements, coupons or surveys sent through the U.S. Post Office.
Preventing QR fraud is similar in many ways to foiling phishing schemes. When you’re directed to a website, scrutinize it for authenticity. Fraudulent sites often look amateurish and feature misspellings and typos. The site’s name may be similar — but not quite the same — as the site you intended to visit. If you’re suspicious, don’t type in a username, password or payment information. Leave the site immediately.
Other ways to avoid QR code traps are to:
- Inspect physical objects for stickers or other signs the original QR codes have been replaced.
- Be careful about scanning any QR code included in an email. Try to verify the authenticity of the email first.
- Use only your phone’s camera to scan codes. You shouldn’t download a QR code app.
- Don’t make payments via QR codes. Go directly to the website by typing in the URL and only use payment processing systems that encrypt your information with SSL or TLS protocols.
Businesses can help protect themselves by routinely checking online and physical sites where they’ve placed QR codes for signs of tampering. Include a message with your QR code telling customers that they should notify you if scanning your code takes them to a suspicious site.
Be on guard
Not even QR codes are safe from fraud perpetrators. As with all types of fraud, your best defense is a good offense. Look closely at QR codes before you scan them and scrutinize the sites they lead to.