Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.
Quick Response codes or QR codes have been around since 1994, but they have become much more popular in recent years and can be commonly found on parking meters, in restaurants, and in advertising.
Unfortunately, as the popularity of QR codes has increased with the public, so has its use by scammers, who are setting up phony QR codes to lure you to their bogus websites where they solicit personal information used for identity theft or persuade you to make a payment with a credit card. QR code scams even have their own name – quishing.
Here are some of the current QR scams.
Brushing QR Code Scam
The latest QR code scam that has recently surfaced is a variation on the brushing scam. Brushing occurs when shady online vendors send merchandise to someone who haven’t ordered it, and then use that person’s information to post positive reviews of the product. However, in the new QR code version of brushing, the targeted victim receives a package containing unordered merchandise without any sender information — except for a QR code that the unwary person will scan and then be prompted to share personal information.
If you receive a package with no sender information, but merely a QR code, it is a scam and you should not scan the QR code.
QR Code Phishing Email Scam
Another recent QR code scam starts with an email that appears to come from a company with which you do business informing you that you need to update your account or it will be closed. You are instructed to scan the QR code in the email, which takes you to what looks like the company’s legitimate website, where you are then asked to input your username and password. The scammer now has your login credentials for that company.
What makes this QR code scam particularly dangerous is that while security software is increasingly able to recognize and screen out malicious links, it cannot recognize malicious QR codes.
If you receive such an email, check the email address of the sender. If it doesn’t appear related to the company it purports to be from, you can be confident that it is a scam. However, in many instances the email address may look legitimate even though it is not. Therefore, your best bet is to never trust the QR code and instead contact the company directly.
This scam also points out the importance of using dual factor authentication on all your accounts, because even if someone manages to steal your username and password, they will not be able to access your account.
You may also want to consider downloading a QR code scanner app that will let you know if it is legitimate and prevent the downloading of malware from bogus QR codes.
Bitcoin ATM QR Code Scams
A report from the Federal Trade Commission (FTC) indicates a 1,000 percent increase in money lost to scammers through Bitcoin ATMs in the last three years, with consumers reporting losses of more than $111 million last year. Bitcoin and other cryptocurrency ATMs look just like traditional ATMs, but instead of distributing cash from your bank account, they take cash in exchange for cryptocurrency. Due to the anonymity and immediacy of the Bitcoin transfers done through a Bitcoin ATM, it is a favorite method of payment for scammers.
Most Bitcoin ATM scams involve the crook posing either a law enforcement officer, government official, or someone providing tech support for a non-existent problem. What all of these imposter scams have in common is that they scare the targeted victim with a story about an emergency that requires them to take cash from their bank account and use a QR code to deposit the money into the account of the scammer at a Bitcoin ATM.
Protecting yourself from these imposter scams starts with recognizing that you can never be sure who is actually contacting you, so you should never click on a link, download an attachment or provide personal information in response to any of those communications unless you have absolutely confirmed that the communication is legitimate. Further, there is no circumstance where you will be asked by anyone legitimate to withdraw funds from your bank, deposit them into a Bitcoin ATM, and transfer the funds to them. Only scammers make those requests.
Become a Saturday Evening Post member and enjoy unlimited access. Subscribe now
Comments
Bob McGowan, I agree with you. It too has served me well staying away from those QR Codes. I also steer clear of any social media. I tend to piss people off anyway because I’ll tell it like it is and the hell with anyone’s feelings. Like me or not, it matter’s neither way to me.
Steering clear of QR codes has served me well so well. I DID scan one a couple of weeks ago on a mailed postcard to find out my upcoming high school reunion was going to be AT the high school Steve, and NOT at the beautiful Woodland Hills Hilton. Then on August 2nd after 11 p.m., I’m on my desktop finishing a YT video on a blue ’73 Mach 1 I was thinking about earlier in the day.
I’d just come back from a quick trip to the fridge to see my computer monitor screen blue, doing an update, and not to turn it off. So not touching my mouse, I’m watching the white arrow tip moving around. It goes onto the Amazon page for a few seconds, then to PayPal, where $100 is extracted as a ‘gift sub’. I called U.S. Bank right then and there to report it. Very glad I only ever leave around $300 (max) in that account at any given time. (That $ will be refunded soon).
On my bank page (while I’m talking to fraud!) the cursor tip reappears, moving around. They’d never heard of this happening before with the victim actually seeing it happen! So that account was shut down immediately and my debit card. I went to the branch the next day to get new replacements of both.
The same day I took my computer over for diagnosis, top to bottom. Has all kinds of state-of-the-art protection and is again like new, all for $150, only too happy to pay it. I know a lot of people who’ve had weird tech problems so far in August with the phone/laptop and desktop.