Think twice before scanning a QR code — it could lead to identity theft, FTC warns

Scanning a QR code can expose you to identity theft, according to the Federal Trade Commission. 

Quick-response, or QR codes, which store links and other information and are readable by a smartphone camera, are today widely used at businesses including restaurants and a range of retailers. Over 94 million consumers will use their phone to scan a QR code this year, according to Insider Intelligence. 

The technology helps retailers by giving them insights into customer behavior, such as by linking a QR code to a store loyalty program. Yet while they offer a measure of convenience for customers and help enterprises do business, they can also give bad actors a stealthy tool for stealing consumers' personal information, the government watchdog warns. 

Identity theft can be financially devastating for victims, who often have little recourse. Armed with your personal information, thieves can drain bank accounts, rack up charges on credit cards, open new utility accounts and even seek medical treatment under someone else's health insurance plan, according to an FTC report. 

In some cases, a thief might even use your name when arrested by the police, regulators note. Telltale signs that your identity has been stolen include unexplained bank account withdrawals or credit card charges.

How scammers use QR codes?

Scammers sometimes put their own QR codes in places where they are commonly found, such as at parking meters stations, concert venues, parking garages, public fliers and bike share racks. As part of their schemes, they might cover up QR codes from legitimate business entities to steal personal information. Other scammers send unsolicited QR codes via text message or email.

As part of such ruses, fraudsters often say the matter is urgent by, for example, saying a package you weren't expecting was undeliverable and that you must contact customer service immediately.

"They want you to scan the QR code and open the URL without thinking about it," the FTC wrote in a blog post. 

The malicious QR codes sometimes lead to phony websites that mimic legitimate sites. If you log in to the spoofed site, scammers can steal any information you turn over. Other times, scanning the QR code itself automatically installs malware on your device, the FTC said. 

How to prevent QR code ID theft

Think twice before scanning a QR code. If a code appears someplace unexpected, inspect it first. If it contains a URL with misspellings, the code could be a sign of fraud.

Beware QR codes received unexpectedly. Even if a text or email message from a business seems legitimate, contact the company directly by phone or online. 

Update your phone's software. Always install the latest versions of your smartphone's operating system and protect your online accounts with strong passwords. Also use multi-factor authentication, so only you can access your personal accounts. 

In:
• QR Codes

Megan Cerullo

Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News streaming to discuss her reporting.