QR (Quick Response) codes, those pixelated squares that direct you to a specific URL, are ubiquitous.  They really are everywhere.  On retail packages, magazine ads, restaurant menus, and parking meters, just to name a few.  These codes are also black boxes, links whose inner workings are not immediately visible to users.  That’s one reason why QR codes have become popular tools for scammers.

Yes, QR code scams are on the rise. So much so that the FBI issued a public service announcement warning readers that cybercriminals are tampering with QR codes to redirect victims to sites that steal login and financial information.  When scanned, malicious codes direct users to spoofed sites containing fake payment screens or other data-collecting pages. Other QR redirects ask users to download an app or an update before continuing. Only misery follows. Once on your phone, a banking trojan will capture user credentials and allow access to banking and payment apps.

Adiós bank balance.

Nor is the problem limited to QR codes found in publicly accessible locations. Scammers are using time-tested phishing methods as well. Like emails or social media posts from hacked accounts, all suggesting that recipients click on an enclosed QR code.  Another trick is to send victims an unexpected package from Amazon. The box will contain an item that the victim did not order.  The package will also have instructions for returning it: “Just scan this QR code and enter your information.”

This is not to suggest that you stop scanning all QR codes. Rather, like the FBI, I advise using caution when scanning if:

  • Scanned QR codes take you to sites that request personal information.
  • The QR code appears in an email, Facebook message, or similar communication.
  • When the website URL that you’re taken to is either shortened, hyphenated, misspelled, or has an atypical domain extension (.co, .usa).
  • The code is located in an unusual location or on something that can be easily moved (like on a napkin holder in a restaurant).
  • The QR code is outdoors and easily tampered with (parking meters, gas pumps . . .).

Be cautious.  Identity theft will change your life, and not for the better.  (See my previous blogs on the subject.)

Peter Dragone - Co-founder of Keurig.