FEATURED ARTICLES

Have you been seeing more QR codes recently? They’re little squares with black-and-white dots that tell you to scan them to visit websites. Ideally, they’ve made our lives more convenient by making accessing information and completing transactions easier.

At the same time, that strength has brought about some complexity regarding protecting information. Despite their ease of use, QR codes provide a gateway to identity theft and fraud.

To protect yourself and your finances, it is highly recommended that you learn as much as possible about QR code scams and what you can do to prevent them. Here is a quick primer on QR code fraud and how to counteract it.

An Introduction to QR Codes

The “quick-response code” (QR code) has been around since the 1990s when it was developed to expand upon barcode technology (also known as UPC). A standout feature of QR codes today is that they use the camera feature of smartphones and tablets to retrieve information.

QR code use soared in the 2010s and gained prominence in recent years since it could use the Internet to access digital documents to reduce paper waste and the spread of germs.

Today, you may see QR codes in many places. Scanning them can take you to web pages or portals to use new services. Common places to find QR codes include:

• Restaurants
• “Paperless” establishments
• Parking lots and garages
• Service-based businesses
• Kiosks like ATMs or self-serve screens
  

How QR Codes Facilitate Fraud

As with any emerging technology, QR codes' potential to benefit society is also weighed down by their ability to harm. QR codes can also facilitate fraud and identity theft.

In the consumer space, most scanned QR codes take people to websites where they can complete a transaction or access more information. This practice is not unlike opening a web browser on a computer and clicking on a link.

Fraudsters can create QR codes that lead to malicious websites, impersonating legitimate establishments and tricking you into providing sensitive information.

Worse, producing a “dummy” QR code is as easy as creating a sticker. A common practice of QR code scams is to create a dummy code and put it on top of the QR codes of a legitimate establishment. This tricks people into visiting illegitimate websites.

Fraudulent QR codes can take you to virtually any place on the Internet. For most QR code scams, you may be taken to the following:

• A dummy login page or form. These web pages are made to look like the login page of a real business. They may ask you to create an account, provide information, or use your login credentials.

   

• Malicious download page. Fraudulent QR codes might take you to a website where it will start downloading a malicious file. “Malware” can infect your device and do almost anything, like track your position, send your files to a third party, or even siphon off your sensitive information to be used or sold to an underground market.
  

As with any scam meant to steal your information, letting your guard down against a dummy QR code can open you up to other forms of identity theft or fraud. Therefore, knowing how to handle QR codes is important so your information is not stolen.

Defending Against QR Code Scams

Do you remember your training against phishing scams? QR code scams are similar to what you’d find in email and general web browsing.

A QR code is a lot like a phishing scam, albeit with different steps. Just like in phishing, a QR code scam will try to get you to visit a suspicious website and take some action.

QR code scams can be used for other types of scams, including smishing, which uses a text messaging service to get you to surrender sensitive information. A bad actor may try to text you and pressure you to scan a QR code to complete a transaction.

QR codes are easy to print out and place in sticker form, so it’s possible to find fraudulent QR codes hanging around legitimate places of business. It is very easy for a scammer to stick their fake code on top of real ones.

Here’s what you can do to guard against QR code scams.

• Confirm QR code usage first: If you see a QR code where you are conducting business or dining, speak to an employee first. They should be able to confirm where scanning their QR codes should take you. If nobody is available, try calling the place of business.

   

• Recognize QR code tampering: Fraudsters will try to tamper with existing QR code labels to trick you into scanning theirs. Examine where a QR code is placed before taking out your camera. If it looks like a sticker placed on top of another QR code, you should be suspicious and get help.

   

• Verify URLs: QR code scanning skips the step of entering a web address in a browser. When scanning a code, your camera app should report the site address to you. If the address looks strange, don’t confirm going to the page. Cancel the action and report it to an employee on the premises.

   

• Know the signs of a spoofed website: Even after confirming a QR code scan, verifying whether the site you are visiting is the real deal is always good practice. Legitimate websites should use an encrypted connection and a verifiable domain. Try to find a valid security certificate before proceeding, especially if it’s a login portal.

   

• Use common sense: Restaurant menus on the web should never ask you for credit card information. If scanning a QR code leads you to a place you aren’t expecting, close your mobile device’s browser and talk to someone.
  

Protecting your information should be a priority. Never let convenience cloud your judgment when it comes to your finances.

First Florida is your staunch ally in the fight against identity theft. Visit our Scam and Fraud Education page to learn how to spot malicious activity and protect your information.