ST. PETERSBURG, Fla. — From restaurant menus to parking meters, and even on your screen while watching 10 Tampa Bay newscasts, QR codes are everywhere.
The simple, square barcodes known as Quick Response (QR) codes can be scanned by your smartphone camera to open up a link. They became popular with restaurants and other businesses during the pandemic as a touchless way to share information.
But before you scan, it could be a scam.
One VERIFY viewer recently said she’d received a postcard in the mail claiming to be from Amazon.com, inviting her to test a new product. The postcard said the recipient could scan a QR code to register their name and contact information or send an email if they were interested.
Our team found the postcard was a scam and not authorized by Amazon.
Can cybercriminals use QR codes maliciously to put malware on phones or access personal accounts?
- Better Business Bureau
- Rick Crandall, National Cybersecurity Center
Yes, scammers and cybercriminals are using QR codes to steal your personal information.
WHAT WE FOUND
In places where QR codes can be manipulated, criminals are taking advantage of the convenience, according to warnings from both the Better Business Bureau (BBB) and the FBI.
Scammers can “disguise malicious links” in the codes since they can’t be read by the human eye, the BBB warns. During the pandemic, the nonprofit said its scam tracker was receiving more reports of fraudsters using QR codes to trick people.
Scammers will often include the malicious codes in emails, social media messages, text messages, flyers or mail. In some of these scams, the QR code takes you to a phishing website where you are prompted to enter your personal information or login credentials, according to the BBB. Fraudsters will also use QR codes to automatically launch payment apps or links to follow malicious social media accounts.
The FBI has also warned consumers about malicious QR codes. In some cases criminals are tampering with physical codes, placing stickers with fraudulent QR codes over real ones.
“Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information,” the federal agency said.
In Florida, the BBB reports several fraudulent QR code schemes have been tied to cryptocurrency scams.
Rick Crandall with the non-profit National Cybersecurity Center said the approaches are different but the aim is the same: scammers are hoping you scan without a second thought.
“Before you know it you've given access to your device or you get sent to a website that may have been created to look like the website, you thought you were going to,” Crandall said. “Then what it can do is install malware on your machine, or if there's a payment involved, the payment can go to the wrong place and there’s a lot of bad things that can happen.”
In one recent QR code scam, drivers were targeted at pay-to-park kiosks in San Antonio, Austin, and Houston, Texas, nonprofit Pew Charitable Trusts reported in 2022. Scammers put stickers with fake QR codes on pay stations, which took drivers to a website that asked them to enter their credit card or bank account information.
The BBB and FBI offered these tips for avoiding QR code scams:
- Don’t scan codes from strangers: If you receive a QR code in an unsolicited message, avoid it. If someone you know sends you a code via text message or social media, contact them to make sure it’s legitimate and they haven’t been hacked.
- Check the links: Before you click, you can check website URLs to make sure they look authentic and don’t have typos or misplaced letters.
- Feel it out: Literally. Be on the lookout for signs that someone tampered with a physical QR code, such as a sticker placed over the top of the original code.
- Don’t get personal: Be cautious about entering login, personal or financial information from a website navigated to from a QR code.
While some antivirus companies have scanner apps that check the safety of a link before you open it, the FBI recommends against using third-party scanner apps because using the wrong one could actually increase your risk of downloading malware onto your device.
VERIFY's Megan Loe contributed to this report.