Be wary of fraudulent QR codes used in a variety of scams

Scanning QR code / iStock/Getty Images/Diy13

With more and more companies using QR codes to direct current or potential customers to their websites, mobile apps, digital marketplaces, or anything else available on the internet, the codes have become an expected part of a company's marketing. Unfortunately, while there are many legitimate and helpful uses for QR codes, scammers are also taking note of their growing popularity and using them to carry out various schemes.

Consumer reports to Better Business Bureau (BBB) and warnings issued by police departments in cities across the nation detail how some QR codes are being created to direct users to phishing websites, fraudulent payment portals, and downloads that infect devices with viruses or malware. While the way victims are exposed to QR code fraud varies, a common theme identified in reports is that most come from unsolicited communications or a QR code posted in a publicly accessible location.

Here are some recent ways scammers are using QR codes:

Parking meter payment. Fraudulent QR codes are often placed on the back of parking meters, leading victims to assume that they can pay for parking through the QR code if they do not have change. Con artists can easily create a QR code for free online, which they then print on stickers and either cover up an actual QR code or place where it makes logical sense. After paying for the spot through the QR code, some victims return to find their vehicle has been towed or received a parking ticket for non-payment, multiplying the amount of money lost.

Cryptocurrency wallets and romance scams. The rise of cryptocurrencies has altered traditional thinking about investments, and the confusion surrounding these transactions makes it a ripe ground for scammers to take their toll. The trading of cryptocurrencies is conducted online, and the easiest way for both legitimate and fraudulent traders to direct investors to their digital wallets is through a QR code.

BBB has found some scammers are willing to spend months of their time building a romantic relationship with a victim, eventually gaining enough trust to convince the victim to provide financial assistance through a cryptocurrency exchange, or to invest in what sounds like a great cryptocurrency investment opportunity. Believing that the scammer is in dire need or has their best interest in mind, the victim follows the provided QR code and transfers the requested amount to the scammer's digital wallet.

Phishing scams. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning, allowing scammers to send victims to phishing websites or downloads that will infect devices with malware. After scanning a code found in an email, text or on a flyer, some victims are directed to a website that requests personal information that can lead to identity theft, compromised passwords for online accounts, or downloads that track the user's activity on the device.

Many phishing attempts begin with notification of 'suspicious activity' on an online account and include a link or QR code for the user to verify their identity. In reality, the information provided is going to a scammer, which they then use for other purposes.

Utility and government impostors. Many consumers report they are contacted by someone claiming to be with their utility company, the Social Security Administration or the IRS regarding an outstanding debt they must immediately pay in full. The "representative" states that failure to pay the unpaid bill will result in either arrest, additional fines, or shutting off access to utilities, however these contacts are made by impostors.

From there, the impostor will likely claim that the regular payment portal for these services is currently offline, but the victim can submit payment through another portal which, conveniently, they can access by following a link or scanning a QR code. The payment portal the victim is directed to often mimics the real portal down to the finest detail, making it seem legitimate.

False sense of security. In some cases, consumers turning to BBB are reporting that the QR code they've been sent does go to the website of a legitimate, reputable business or agency. This could be the case when someone is trying to add legitimacy to their claims that they are employed by them. You may even see a QR code that goes to an 'employee profile' that includes official logos, badge numbers, professional headshots and additional information designed to ease any fears.

In either case, they key will be to make sure that you aren't then directed away from the reputable business for any information submission, including account information or payment. BBB and law enforcement find that once a scammer is confident that they have convinced their target they do represent a reputable business, the likelihood that the victim will provide whatever information or money is requested drastically increases.

To avoid QR scams, the Better Business Bureau recommends:

Do your research. While fake QR codes are hard to detect, taking the time to do your research before clicking on a code - especially one shared with you through an unsolicited communication - can go a long way to helping you avoid a scam.

Even if you appear to receive a QR code from a family member or friend via text, messenger or email, be sure to confirm with that person through another type of contact that they actually sent it to you before you click on anything or open an attachment. That means you need to call them or text them at the number you know to belong to them.

Don't open links from strangers. If you receive an unsolicited message from a stranger that includes a QR code, BBB strongly recommends against scanning it. If the message promises exciting gifts or investment opportunities under the condition you 'act now,' be even more cautious. Scammers use this type of language consistently and rely on their targets to make immediate decisions before taking the time to verify its authenticity.

Be wary of short links. If a shortened URL appears when hovering your camera over a QR code, there is no way of knowing where it will direct you once the link is followed. Make sure you are confident that the QR code is legitimate before following short links, as it may send you to a malicious website. Once on the website, look at the URL and verify the domain and subdomain make sense for the organization that supposedly operates it. Scammers often switch around the domain and subdomains for URLs or slightly misspell one word to make websites appear legitimate.

Check for tampering. Some scammers attempt to mislead consumers by altering legitimate business ads or placing stickers on the QR code. Keep an eye out for signs of tampering and, if discovered, have the business check that the posted QR code is genuine. Most businesses permanently install scannable QR codes in their establishments using laminate or placing it behind glass. They will often include the business's logo in the code itself, often in the middle.

If you've been the victim of a QR scam, report it at You can also reach your BBB at 423-266-6144.

Michele Mason is president of the Better Business Bureau in Chattanooga.