QR codes have become a way for scammers to hide malicious links since they can’t be read by the human eye. Here’s how to spot these scams.
Have you ever received an unsolicited message with a Quick Response (QR) code? One of our VERIFY readers did and asked the team if a scammer was targeting her.
Legitimate companies and businesses use QR codes to point people to their websites, encourage app downloads or display menus, among other uses. If you scan the code with your cellphone camera, it will open a link.
Stephanie told VERIFY she received a postcard in the mail claiming to be from Amazon.com, inviting her to test a new product. The postcard said the recipient could scan a QR code to register their name and contact information or send an email if they were interested.
The postcard Stephanie received is a scam and “not authorized by Amazon,” a spokesperson confirmed to VERIFY, adding that the company encourages people not to respond to these types of messages.
“Amazon requires sellers to follow specific guidelines for any communication with customers. Sellers are not permitted to send marketing or promotional messaging, including coupons,” the spokesperson wrote in an email.
Customers should look for an @amazon.com email address to confirm that a promotion is really from the company. The email address listed on the postcard is firstname.lastname@example.org, which is not associated with Amazon.
The postcard also has classic warning signs of a scam that VERIFY has previously identified, including using a generic greeting (“Dear Customer” instead of Stephanie’s name), an email address that isn’t tied to Amazon, and prompts to open a link where the recipient would input personal information.
Amazon says its website URLs always have a period before amazon.com – such as pay.amazon.com, for example. Links that take customers to websites that aren’t legitimate Amazon domains are likely phishing attempts. Amazon customers can report scam attempts online.
These types of QR code scams are on the rise, prompting warnings from both the Better Business Bureau (BBB) and FBI.
QR codes have become a way for scammers to “disguise malicious links” since they can’t be read by the human eye, the BBB says. In July 2021, the nonprofit said its scam tracker was seeing more reports of fraudsters using QR codes to trick people.
Scammers will often include QR codes in emails, social media messages, text messages, flyers or mail. In some of these scams, the QR code takes you to a phishing website where you are prompted to enter your personal information or login credentials, according to the BBB. Fraudsters will also use QR codes to automatically launch payment apps or links to follow malicious social media accounts.
In January 2022, the FBI also warned consumers about malicious QR codes through a public service announcement.
“Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information,” the federal agency said.
These codes may contain embedded malware, which allows a scammer to access the victim’s cellphone and steal their location, as well as personal information. Some criminals can also replace a QR code from a business that’s intended to facilitate payment with a fake code and redirect a customer’s payment.
One of these QR code scams targeted drivers at pay-to-park kiosks in the cities of San Antonio, Austin, and Houston, Texas, nonprofit Pew Charitable Trusts reported in February 2022. The scammers put stickers with fake QR codes on pay stations, which took drivers to a website that asked them to enter their credit card or bank account information.
“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer,” the FBI said.
The BBB and FBI offered these tips for avoiding QR code scams:
- If someone you know sends you a code via text message or social media, contact them to make sure it’s legitimate and they haven’t been hacked.
- Don’t scan QR codes that come in unsolicited messages from strangers, even if they promise gifts or other opportunities.
- Be cautious about entering login, personal or financial information from a website navigated to from a QR code.
- Check website URLs to make sure they look authentic and don’t have typos or misplaced letters.
- Don’t download apps from QR codes.
- Be on the lookout for signs that someone tampered with a physical QR code, such as a sticker placed over the top of the original code.
- Install a QR code scanner with added security. Some antivirus companies have scanner apps that check the safety of a link before you open it. They can also identify phishing scams, forced app downloads and other dangerous links, the BBB says.