QR Code Scams

 Scammers have been using QR Codes to trick victims for some time, but I'd say the FBI starting posting warnings about this around 2022.

The more common QR Codes become, the more scammers use them in their crimes.

Here are some recent ways scammers are using QR Codes:

1. You get an email or text that says you've won something, or the message is faked to look like it is coming from a bank or a credit card company or a vendor. You may even receive an actual letter or package with a QR Code on it (scammers need to work lots of potential victims so they try to use the cheapest methods). You are asked to scan the QR Code to take the next step or to 'confirm a transaction'. Often these QR Code redirect to fake websites that look real and proceed to steal your information. Sometimes this QR Codes just then download malware to your device. Don't do it!

A common one I've seen recently begins with a notification of ‘suspicious activity' on one of the victim's online accounts (the scammer is guessing and sometimes they guess right) and include a link or QR code for the user to verify their identity. Don't do it!

2. Government and utility imposters. This scam uses the name (and sometimes fake websites) to tell potential victims they have an outstanding debt that needs to be paid immediately or something terrible will happen (a warrant for arrest or if utility that your utilities will be shut off). The potential victim is told they can submit payment via a QR Code. Don't do it!

3. Parking meter payments. Fake QR Codes have been placed on the back of parking meters, leading potential victims to assume they can pay for parking through the QR Code if they do not have change. Do not do it!

How to avoid QR Scams

In general, I would not use them even though they are convenient, unless I had confirm the legitimacy of them by picking up the phone of that company, sending an email, getting into online chat, or asking on social media that it is, in fact, legitimate. Otherwise, skip the convenience of it.

Any text, email, call that uses language around 'act now or [fill in the blank with negative consequences] will happen' should be a big ole red flag for you. Stop and go another route or ignore the message completely.

It's not easy, but look for signs of tampering and layering of multiple stickers on top of one another or in a place that seems odd. Most businesses permanently install scannable QR codes using laminate or placing them behind glass in their establishments. They will often include the business’s logo in the code, often in the middle (not to say scammers won't eventually figure out how to fake this, too).

If a QR Code has redirected you to a website that request personal details or login credentials - STOP! Legitimate organizations typically do not ask for sensitive information through QR codes.

Use QR Codes through trusted applications on your mobile device. For example, through my big chain grocery store app on my phone, I use QR Codes to get additional discounts. I would never do this outside their official app.

Trust Your Intuition. If something feels off or suspicious about a QR code or the situation in which it is presented, trust your instincts and refrain from scanning it. Your intuition can often alert you to potential scams before they transpire.

Trust me, you'll be fine in the world not scanning that QR Code.

Now tell me you are NOT going to scan the below image just because I wanted to show you what a QR Code looks like. Don't do it. It's just an example. Really.

Scam Email: Screening Sharing and Fake Live Chat

Here is a recent twist on a very old scam where the scammer has some story (the victim has a virus on their computer or some fake problem), the victim calls into a number the scammer provides in the message, while talking to victim the scammer gets the victim to agree to download a screen-sharing software so they can "help" them (they won't), and the scammer proceeds to steal passwords, etc. Another old twist on this is the scammer is attempting to send money to the victim (not really) and they pretend to send $10,000 to them instead of $100 (again, its all on faked screening sharing screens) and demand the money back.

So you can see this particular twist on this scam has taken it to the corporate space but it especially also impacts anyone who is signing into their bank account while screen sharing software is running. As you can imagine, that is a bad thing. 

Sometimes, the scammer won't say why you need to click that OK button, which allows them to screen share with your computer, or - as in the image below - they fake an email so you can log into a live chat. But you are not actually logging into a live chat. And once in, the scammer can do anything on your computer at that point.

They are well practiced at moving quickly once they get in on how to steal money and grab passwords. 

So in this twist, the scammer is pretending to be a bank's customer support (or internal technical support where corporate employees are involved) and they want to get you on "live chat" (its screen sharing, not live chat), so they trick the victim into clicking the button that says join live chat. But its not.

Again, this is increasingly impacting corporate employees (because they are jumping on to live chats for meetings all the time) as well as individuals accustomed to live chat to get support on various things.

So terrible. But all we can do is just keep sharing what they are doing to hopefully reduce the number of times they are successful.

Here is what I've seen:

1. Hackers are send personalized emails and texts pretending to be from financial institutions. The email might reference the individuals job title or company role. Or it might be an individual bank customer. 

2. The messages tell victims to download a "live chat app" which is actually remote access software AnyDesk.

3. Once the screen sharing software is running, victims are instructed to share the access code with the "support agent".

These attacks are so effective because they’re so believable and targeted.

- They're commonly used by organizations for IT support

- Banking sites often can't detect if customers are running them during login

- Access codes provide complete control without needing credentials

I *highly* recommend and advocate for all banks to be implementing measures to detect when remote access tools are running when consumers log into their banking accounts. Some do it on the consumer side (not all) but they also need to do it on the corporate side for employees who may become unwitting victims while at work.

As for us consumers, I can only say, be careful out there. When it involves money, ALWAYS be skeptical and verify by another path (i.e. say you'll call yourself into the bank customer service phone line).

As the world becomes default digital, devices and our behavior on all of these convenient devices has become our most vulnerable area of risk for scams.