Touchless QR codes open new doors for scammers

A QR code in Russia. If you receive an unsolicited message from a stranger, don't scan the QR code, even if they promise you exciting gifts or investment opportunities. — AP

Anyone who ventured into a restaurant during the pandemic knows that the QR code is a contactless way to look at a menu. Why keep passing around old plastic menus that can go through a ton of hands as we fight the virus?

And now, scammers want to offer you that touchless experience too.

We're well versed on why consumers don't want to click on links or attachments in texts or emails that arrive out of the blue. But the Better Business Bureau is warning consumers that they need to be extra careful if they're sent a digitally readable square known as a QR code.

One victim told the BBB Scam Tracker that they received a fraudulent letter about student loan consolidation. It contained a QR code that appeared to link to the official website. The QR code also helped the letter, which was part of a fraud, appear official.

A QR code — or quick response code — is a matrix bar code that took off in the manufacturing industry after it was developed in 1994 by engineers working for Denso Wave, a Japanese auto parts supply giant.

Using the camera on a smartphone, a blob of black and white turns into a list of food and drinks on the restaurant menu, which is now on your phone.

Companies use QR codes to point consumers to their apps and track packages, too.

Don't download malware

As the QR codes have become more commonly used, though, the BBB notes that it has received reports nationwide of con artists using the system to their advantage.

Laura Blankenship, chief of staff and director of marketing for the Better Business Bureau Serving Eastern Michigan, said locally she has not received any of QR code complaints yet but it's likely just a matter of time.

"This is much like a phishing scams," she said.

"Just like clicking links, you have to be careful what website you're opening on your phone. If you've never heard of the organisation or the website where the QR code is supposed to go to, that's a huge red flag."

She said the use of the QR code by scammers offers another way to steal personal information or get you to download malware onto your device.

Experts note that QR codes are a bit like a shortened URL when it comes to fraud: A consumer isn't going to be able to immediately see where the link will take them. So criminals can disguise their motives and abuse the technology.

The BBB alert said the scam can start via an email, a direct message on social media, a text message, a flyer, or a piece of mail that includes a QR code.

The scammers want you to scan the code with your phone's camera. But you have no idea where the QR code could end up taking you or what the scammers might do next.

Some possible bad outcomes: The crooks can now send text messages to one or all contacts in a user's address book; or even send a payment to a destination where it cannot be recovered, according to an alert earlier this year by the US Army Major Cybercrime Unit.

"In some scams, the QR code takes you to a phishing website, where you are prompted to enter your personal information or login credentials for scammers to steal," the BBB warned.

"Other times, con artists use QR codes to automatically launch payment apps or follow a malicious social media account."

Scams can differ but the crooks want you to scan the code right away. What you need to do, though, is step back and make sure any correspondence is legitimate before you scan the code. Contact the friend or co-worker directly to see what they might have sent and make sure the sender wasn't hacked.

What are the red flags of QR code scams?

The BBB and others offer these warnings:

Don't open links from strangers. If you receive an unsolicited message from a stranger, don't scan the QR code, even if they promise you exciting gifts or investment opportunities.

Verify the source. If a QR code appears to come from a well-known company or government agency, take extra time to go to the official website to confirm it.

Be suspicious if, after scanning a QR code, a password or login information is requested. Don't give that extra information.

Be wary of short links. If a URL-shortened link appears when you scan a QR code, understand that you can't know where the code is directing you. It could be hiding a malicious URL. Some scammers attempt to mislead consumers by altering legitimate business ads.

Install a QR scanner with added security. Some antivirus companies have QR scanner apps that check the safety of a scanned link before you open it. They can identify phishing scams, forced app downloads, and other dangerous links.

Adam Levin, founder of CyberScout and author of Swiped: How To Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, said consumers need to realise that QR codes are easy to print out.

"Scammers sometimes cover legitimate QR codes with bad ones," he said.

"If you're at an outdoor cafe and each table has a QR code linking to the menu, it's relatively easy to replace the code with one that links to malware," Levin warned.

"This is doubly the case if the QR code directs you to another link-shortening service such as, which can hide the final online destination of the code."

In general, he said, consumers need to be more cautious with the QR codes and even use them sparingly.

"Your smartphone can be a gateway to your personal data, finances and accounts," he said. "Scanning QR codes and hoping for the best is asking for trouble."

Overall, Levin said, it's a good rule of thumb to turn your smartphone off and restart it regularly.

"Many forms of malware that live in your phone such as spyware depend on the device never being turned off." – Detroit Free Press/Tribune News Service

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 0
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

Analysis-GM goes slow on EVs as rivals fight a price war
Elon Musk seeks to end lawsuit over 'inadvertent' late disclosure of Twitter stake
Exclusive-EU industry chief Breton to hold video call with Twitter's Musk - EU official
Russian tech giant Yandex says code leaked in cybersecurity incident
Exclusive-Warner Bros Discovery licenses movies and TV shows to Roku, Tubi
U.S. Justice Department asks Tesla for documents on driver assist systems
Jail for man in S’pore who used Microsoft Word to forge S$25,000 bank transaction to sugar baby
U.S. seeks Tesla driver-assist documents; company hikes capex forecast
AI voice tool ‘misused’ as deepfakes flood web forum
Spotify shares jump on bullish outlook as more users tune in

Others Also Read