Beware the Double Click! Evaluate QR Codes to Protect Against Fraud

(StatePoint) Ancient civilizations had hieroglyphics, we have QR codes: the patterned graphic boxes prompting you to access restaurant menus, pay for parking, find out information about a package and more.

Generally, quick response (QR) codes are safe, but they can be used to redirect you to malicious websites, so caution is important. Here’s how it works.

• You get prompted to use your device’s camera.
• You scan the code and a link pops up.
• You click the link, exposing you to threat actors.
• You’re directed to apps, websites, locations using your maps and much more.

Bad actors understand people are in a rush, so this is an appealing form of attack. It’s a cost-efficient scam because these codes are easy to generate and distribute. And they are creative in finding new ways to make them appear legitimate. In public places, criminals can cover an official code with a sticker or printout showing a fraudulent code. Some of the more prevalent and convincing scams include:

• Parking Ticket Scams. Criminals place fake parking tickets with QR codes on windshields, causing unsuspecting victims to scan the code and click the link to learn of their offense and digitally pay the alleged fine.
• Brushing Scams. A criminal will ship goods you never ordered, then require you to scan the QR code and click the link to see who sent you the gift.
• Payment Scams. Criminals cover a legitimate QR code with a sticker that has a fraudulent code that directs to a malicious site. This can happen at gas pumps, bank windows, parking lots, etc.
• Crypto Scams. Crypto transactions are often made through QR codes associated with crypto accounts, making this an appealing target for fraudsters, especially since once crypto payments are made, it’s unlikely those funds will be recovered.

To stay safe when using QR codes:

• Check the URL: Once you scan and the link pops up, stop! Examine it for unusual domain names or shortened URLs before clicking.
• Verify the source: Only scan QR codes from trusted sources, like official websites or apps. Codes from unfamiliar sources are more likely to be malicious.
• Check for tampering: Look for signs of tampering, like altered graphics, design flaws or stickers placed atop original codes.
• Be suspicious: Treat sites asking for a password or login information as a red flag.
• Be wary of promotions: Be cautious of offers that seem too good to be true.
• Use a secure connection: Look for a secure connection (HTTPS) or padlock.
• Confirm validity of request: Before taking action, like making a payment or entering personal information, confirm a request to scan with the company. If you receive a QR code from someone you know, reach out to them through a known number or email to verify they sent it.
• Protect your device: Use antivirus and antimalware software.
• Report. If you identify a suspicious QR code or fall victim to a QR code scam, notify your bank and report it to law enforcement and the Federal Trade Commission.

If you scan a fake QR code, your bank account, email and identity could all be at risk. For actions to take, consult PNC Bank’s Reporting Fraud page on pnc.com.

Cyber criminals are always finding new ways to defraud their victims, and QR codes are no exception. With a little caution however, you can better protect yourself.