QR codes could be a gateway to identity theft, FTC warns

You may want to think twice before scanning that QR code.

The code – a digital mix of black and white squares, often used to store URLs – has become ubiquitous, found on restaurant menus and retail stores, for example. However, they could pose a risk to the unwary, the Federal Trade Commission warned Thursday.

According to eMarketer estimates, approximately 94 million US consumers will use smartphone QR scanners this year. This number will increase to 102.6 million by 2026.

There are countless ways to use them, which explains their popularity, according to Alvaro Puig, FTC consumer education specialist in Consumer Alert.

“Unfortunately, scammers hide harmful links in QR codes to steal personal information,” Puig said.

More than personal finance:
IRS rejects more than 20,000 refund claims for pandemic-related tax credits
Survey finds credit card debt is the biggest threat to wealth building
Not saving in your 401(k)? Your employer can re-enrol you

Here’s why it matters: Identity thieves use victims’ personal data to drain their bank accounts, charge their credit cards, open new utility accounts, receive medical treatment and make claims on their health insurance. For filing tax returns in the name of the victim. Tax refunds, the FTC wrote in a separate report.

Some criminals hide QR codes on parking meters with their own codes, while others send the codes by text message or email and entice victims to scan them, the FTC said in its consumer alert.

Scammers often try to create a sense of urgency – for example, by saying the package could not be delivered and you need to reschedule, or you need to change the account password due to suspicious activity – by getting victims to scan the QR code. To prompt for code, which can open a compromised URL.

“A scammer’s QR code can take you to a fake site that looks real but isn’t real,” Puig wrote. “And if you log in to a fake site, scammers can steal any information you enter. Or the QR code could install malware that steals your information before you even realize.”

According to the FTC, how to protect yourself from these scams:

• Please inspect the URL before clicking. Even if it looks like the URL you recognized, check for misspellings or changed letters to make sure it’s not a fake.
• Don’t scan a QR code that turns up a message you weren’t expecting. This is especially true when the email or text urges quick action. If you believe it is a legitimate message, contact the company through a reliable method such as a real phone number or website.
• Keep your phone and online accounts secure. Use strong passwords and multifactor authentication. Keep your phone’s OS updated.

Don’t miss these stories from CNBC Pro: