The UK is set for an unwelcome barrage of new scams as fraudsters exploit QR code technology to steal from unsuspecting victims.
The codes are the latest weapon in scammers’ armoury and are being used in a growing number of pernicious ways, fraud experts warn.
QR – or ‘Quick Response’ – codes are small, jumbled boxes of black and white squares, which operate much like a barcode. When used legitimately, they can be very useful.
You simply point the camera on your smartphone at a QR code (such as those in your Mail on Sunday) and it directs you to a website automatically without you having to tap the details into your browser.
– Get up to date with all the latest scam stories here
Hidden menace: Scammers have found ways that QR codes can be used to trick victims into sharing personal information and bank details
The use of QR codes has grown since the pandemic, when they became a popular way for smartphone users to share contact information and vaccination status with restaurants and other venues.
But scammers have found ways that QR codes can be used to trick victims into sharing personal information and bank details.
Nick Hunn, a strategist at the technology company WiFore Wireless Consulting, says: ‘Criminals love QR codes as, for the moment, people have confidence in them. Also, because they are new and hard to fathom, people assume they are safe.
‘But accessing a QR code is like clicking on an unsolicited email attachment – and you could be opening a can of worms. They should be treated with caution.’
QR code scams operate in a number of ways. Here are some to watch out for:
HOW ‘QR CODE JACKING’ WORKS
This is when fraudsters stick a fake QR code over a genuine one to snare unsuspecting victims.
For example, a fake QR code can be put on a parking meter, electric charging point or even on a restaurant menu. The unsuspecting victim uses the code to access what is presumed to be a genuine website to pay for parking, car charging or for a meal.
However, although the website may look authentic, it has been set up by scammers. When the victim enters their bank details to make a payment, this information is quickly siphoned off by the scammer and used to steal money from the victim’s bank account.
Alternatively, the scammer may use this personal information to trick the victim at a later date. They may phone and pretend to be from their bank – and knowing the victim’s personal information gives their story an air of legitimacy.
Some motorists on the Isle of Wight fell prey to this crime last year when a fake QR code was stuck on parking meters in a council car park. The code sent car owners to a fake website that asked them to tap in their details to pay for the parking spot. Payments were then siphoned off by crooks.
It is hard to discern a fake QR code from a real one, which is a key reason why people are especially vulnerable.
But Stephen Burke, product director at the cyber security company Titan HQ, believes a careful look at the placing of the code offers clues as to whether it might be a fraud.
He says: ‘Always take a close look at any QR code to see if there are signs it has been plastered over a genuine one, perhaps on different paper or is peeling off.’ Always scrutinise websites accessed by a QR code before entering personal information.
Look out for signs it may be a fake, such as bad graphics or misspelling. Only click on websites that have an ‘https’ as the beginning of the address as this means it is more likely to be safe from hacking.
If in doubt, shut the webpage accessed by the QR code and look up the website directly by typing the correct web address into your browser.
‘QUISHING’ EMAIL WITH A DODGY LINK
This is when a scammer sends an email containing a QR code purporting to be from a genuine organisation such as a high street bank, the taxman or from an online retailer such as Amazon.
The crook has made up a story to encourage you to use the QR code. For example, they could claim that you can use the code to enter a competition, take advantage of a special offer or buy a product.
But when the victim uses the QR code, it takes them to a bogus website where any personal information they input can be harvested by the fraudster.
Burke says one of the most common versions doing the rounds is scammers sending emails pretending to be from a bank and claiming that they are updating their security process.
Burke says: ‘Fraudsters explain that the bank is doing away with their current security system such as two-factor authentication – and upgrading to use QR codes instead.’
The QR code takes the victim to a website where they are asked to input the security codes or password used to access their online banking to set up the new security system. The crook then uses this information to log on to the bank account and steal savings.
Burke adds: ‘Everyone finds authentication codes and remembering different passwords a headache – so it is easy to fall for the scam as it not only sounds believable but makes logging in easier and more appealing.’
NEW PARCEL DELIVERY SCAMS
Warning: Security expert Stephen Burke
Parcel delivery firms increasingly use QR codes to interact with their customers – a trend that is being exploited by scammers.
For example, if you miss a parcel delivery, genuine firms will often put a note through your letterbox containing a QR code to scan to reschedule the delivery.
But scammers can also mock up fake notes containing QR codes that lead to bogus websites.
The fake website may be used to harvest private data or charge a fake ‘shipping fee’.
Zulfikar Ramzan, chief scientist at cyber security firm Aura Labs, explains that thieves might even send a gift in the post, purporting to be from Amazon or another online shop. The parcel will contain a QR code, which claims to offer information about how to return it or find out more information.
‘Scan it and you will be directed to a website that tries to capture your personal information,’ he says.
‘Never scan links if you are unsure where they have come from and, instead, visit the genuine company’s website.’
SOFTWARE UPDATES THAT ARE BOGUS
Criminals have also developed a way to use QR codes to download malware software on to your computer or smartphone.
Malware is like a computer virus, which, when installed on your device, can be used to plunder your personal information.
Be careful when downloading a QR code app if it asks you to install a software ‘update’ after scanning. If you are in any doubt about its legitimacy, refuse installation and shut down any web pages the QR code has opened.
I was scammed by fake code at a charging point
Tony Fuller was targeted by QR code crooks when he tried to pay to charge up his electric car at a charging point in Camden, North London.
The retired teacher, of Winsham in Somerset, says: ‘I drove to visit my son in London and found a charging point just 50 metres from his flat, which seemed very handy.
‘The instructions on the charging point screen told me to ‘scan the QR code below’. There was nothing suspicious-looking about it. When I scanned the code, the charging company’s logo came up along with a payment screen.
Shock: Tony Fuller’s account had been hacked by crooks
‘But when I entered my bank details to pay, the whole system simply froze.’ Tony said that he was not suspicious but simply abandoned his attempt to pay using the QR code link and, instead, logged into the charging company’s website directly.
He says: ‘It was only when I checked my bank account that I discovered a couple of small payments had been taken out – but with no reference to what they were for.
‘I told my bank immediately to cancel any further payments as I fear crooks were testing the water to see if they could access my account before taking larger amounts.’