Scanning a QR code can expose you to identity theft, according to the Federal Trade Commission.
Quick-response, or QR codes, which store links and other information and can be read by a smartphone camera, are now widely used in businesses, including restaurants and a number of retailers. Over 94 million consumers will use their phone to scan a QR code this year, according to Insider Intelligence.
The technology helps retailers by giving them insight into customer behavior, such as by linking a QR code to a store loyalty program. But while they offer some convenience to customers and help companies do business, they can also give bad actors an insidious tool to steal consumers’ personal information, the government watchdog warns.
Identity theft can be financially devastating to victims, who often have little recourse. Armed with your personal information, thieves can drain bank accounts, charge credit cards, open new utility accounts and even seek medical care under someone else’s health insurance plan, according to an FTC report.
In some cases, a thief may even use your name when arrested by police, regulators note. Telltale signs that your identity has been stolen include unexplained withdrawals from bank accounts or credit card charges.
How do fraudsters use QR codes?
Scammers sometimes put their own QR codes in places where they are commonly found, such as at parking meter stations, concert venues, parking garages, public fliers and bike racks. As part of their schemes, they can mask QR codes from legitimate business entities to steal personal information. Other scammers send unsolicited QR codes via SMS or email.
As part of such ploys, scammers often state the urgency of the matter by saying, for example, that a package you did not expect could not be delivered and that you should contact customer service immediately.
“They want you to scan the QR code and open the URL without thinking about it,” the FTC wrote in a blog post.
The malicious QR codes sometimes lead to fake websites impersonating legitimate websites. If you log into the fake site, scammers can steal any information you provide. Other times, scanning the QR code itself automatically installs malware on your device, the FTC said.
“Only scan QR codes from sources you trust,” said Mike Scheumack, chief innovation officer at IdentityIQ, an identity theft protection company. “Fraudulent QR codes can lead you to fake websites or install malware with the same purpose – to steal your identity and money.”
How to prevent QR code ID theft
Think twice before scanning a QR code. If a code appears somewhere unexpected, inspect it first. If it contains a misspelled URL, the code may be a sign of fraud.
Beware of received QR codes unexpected. Even if a text or email from a company seems legitimate, contact the company directly by phone or online.
Update your phone’s software. Always install the latest versions of your smartphone’s operating system and protect your online accounts with strong passwords. Also, use multi-factor authentication so that only you can access your personal accounts.