If you scan a bogus QR code and go to the linked site, you can be fooled into giving up passwords and sensitive date. Here’s how to spot and protect yourself from fake QR codes.
Fraudsters have been caught before selling what purport to be apps for reading QR codes, but the FTC says that some are sticking their own codes on top of legitimate ones in public places.
“There are reports of scammers covering up QR codes on parking meters with a QR code of their own,” says the FTC in a statement. “And some crafty scammers might send you a QR code by text message or email and make up a reason for you to scan it.”
“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” it continues. “And if you log in to the spoofed site, the scammers could steal any information you enter… [or] the QR code could install malware that steals your information before you realize it.
How to protect yourself from QR code scams
There are five techniques for spotting malicious QR codes, and for preventing fraudsters using the information they get to access your online accounts.
- Use the iPhone’s Camera app to scan the QR code, not the QR scanner available in Control Center, because the Camera will preview the URL before going to it
- Inspect the URL a QR code wants to send you to — look for misspellings
- Don’t scan texted or emailed QR codes you weren’t expecting
- Always be running the latest iOS
- Use multi-factor authentication on your online accounts
Many QR codes will blatantly take you to suspicious URLs, but some will be cleverer than that. Look for URL misspellings, and altered letters such as such as the digit 1 being used in place of the lowercase l of the real site.
QR-code generating firm QRFY adds a further recommendation to the FTCs: do not download a QR-scanning app.
“[Since] iOS and Android devices’ camera apps already automatically scan QR codes,” the firm told AppleInsider, “using a specific app isn’t necessary.”