RISK ALERT: Is that QR code actually a scam?

QR codes are everywhere these days. Thanks to a surge in popularity, the scannable codes are used for payments, registrations, advertising and information by businesses, brands, and fraudsters. Fraudulent QR codes redirect individuals to fake or malicious websites designed to steal sensitive personal data (PII), authentication information, and payment data or install malware on their devices. Quishing (phishing with a QR code) has become more widespread - even the US Postal Service is reporting criminals incorporating QR codes into package delivery scams.

Alert Details

 Quishing is short for QR code phishing, and it uses a QR code to send individuals to a fake or malicious website once you scan it.

Scammers typically post physical images of QR codes in a high traffic locations (e.g., parking meters, public signs, event tickets, restaurants) or send them via email, text messages, and even traditional snail mail. Once the QR code is scanned, the individual is redirected to a fraudulent, spoofed website, which may look legitimate. Here unsuspecting individuals are lured into providing personal or financial information. These fraudsters often attempt to disguise themselves as a government agency or a financial institution.

Some common ways fraudsters are trying to con people are:

•Suggesting there is a problem with your account and/or payment, and you need to confirm account or login information

•Saying there has been suspicious activity on your account, and you need to change your password

•Reporting they couldn't deliver a package or complete a transaction, and you need to reschedule or contact them  

Unfortunately, QR code usage has been so common that many users just scan them without paying attention to where they’re being directed. It is critical that users carefully check the URL of where QR codes are sending you. Hovering over the code with the device’s camera without actually clicking will usually show the link. 

Consider these risk mitigation tips related to QR codes or quishing:

•Before scanning a QR code, consider where it is coming from

•Don’t always trust the display name – criminals will spoof the name to appear to be a legitimate sender

•Check for misspelled words, bad grammar, and/or typos within the content

•Hover over the QR code with the device’s camera without actually clicking. This will usually show the link of where you’re being directed

•If you encounter a QR code in a public place, look for signs of tampering like stickers placed over existing codes, poor quality, or misaligned placement.

•Don’t believe everything you see. Brand logos, names and addresses may appear legitimate.

•Update your phone to protect against hackers and protect your online accounts with strong passwords and multi-factor authentication.

Dade County Federal Credit Union will never ask for login credentials, including two-factor authentication passcodes or personal information. If you see a QR code in an unexpected place, inspect the URL before you open it. Don’t scan a QR code in an email or text message you weren’t expecting — especially if it urges you to act immediately. If you think the message is legitimate, use a phone number or website you know is legitimate.

Stay vigilant — a single careless scan could open the door to fraud, but a moment of caution can keep your personal and financial information safe.