Scan or Scam? - Is that QR code setting you up to get scammed? (Scams, Hacks and Frauds)

Show Notes

This week on Scams, Hacks, and Frauds, we dive into the alarming rise of QR code scams that are turning a once-innovative technology into a tool for fraud. Remember when QR codes were heralded as the future of convenience? Unfortunately, they have now become a gateway for scammers to exploit unsuspecting victims. Join us as we recount the cautionary tale of Sue from Thornaby, who thought she was simply paying for parking but ended up a victim of a sophisticated scam that cost her nearly £4,700.

Sue’s experience highlights how easily scammers can manipulate QR codes to capture personal information and financial details. We discuss the red flags she encountered, the tactics used by fraudsters, and the shocking statistics revealing the surge in QR code-related scams. With organizations like Action Fraud and the FTC sounding the alarm, it’s crucial to understand the risks associated with scanning codes in public spaces.

Tune in to learn how to protect yourself from these scams, the importance of verifying the legitimacy of QR codes, and practical tips for safe online transactions. This episode serves as a vital reminder to stay vigilant in an increasingly digital world.

We publish new content every other Monday. The  10 minutes our episodes may save your wallet, and help protect your family.

If you like shows like "The Perfect Scam" or "Darknet Diaries" then this show might be for you.  

On our website you’ll find more computer hacking, identity fraud, impersonation, consumer rights and Romance Scams.  To find these and to access our transcripts, visit us at www.scamshacksandfrauds.com.

The transcript and spoken audio are available under the Creative Commons, Share Alike, With Attributions license. For more information on this visit creativecommons.org.  

Transcript

Do you remember when QR Codes seemed like the future? A new generation of Barcodes that can make your phone connect to a website or restaurant WIFI, allow your phone to be your train or bus ticket, and have even replaced your menu in many restaurants.  You know, those black and white things with lots of squares in them.

But some organisations are now removing QR Codes.  Why?  It turns out that the fraudulent use of QR Codes makes scams and hacks very easy.  This is the True Crime Podcast that helps keep you safe from Scams, Hacks, and Frauds.

Sharing stories is the best way to help protect people from Scams. hacks and frauds.  You can help us by subscribing and sharing this story.  Thanks.

Today’s true crime scam story takes us to a town in Yorkshire called Thornaby. Unless you’re really into military aviation history, Thornaby will probably fly under your  radar. Despite the surrounding picturesque countryside, the town clings to echoes of a more industrial past, giving a sense of faded vitality. Amidst this backdrop, Sue and her daughter-in-law parked at Thornaby Railway Station, embarking on what was meant to be a simple day out.

Sue put on the parking brake, turned off the ignition, got out of the car, and began to rummage through her purse to find money to pay the parking charges. However, despite searching for several minutes, she was unable to locate a machine to pay for her ticket.  She walked over to a parking information sign and spotted that she needed to download an app to her phone in order to pay.

Her eye was then drawn to a QR code on the sign.  Sue had never used a QR code before, but with a little encouragement from her daughter-in-law, and feeling she had no other choice, and certainly not wanting a parking ticket, she pointed her phone at the sign, opened her camera app, and tapped on the QR code.

She was then greeted with a new screen asking to enter her payment details. She took out her debit card and entered it as instructed.  Seconds turned into minutes, but eventually she was presented with a message that  said “Try Again.”  Knowing these things do happen, particularly when using the internet on her phone, she did so, thinking nothing of it.  Another long delay later, and  the page told her to try another card.  She swapped her debit card for a credit card and tried again, but still the payment did not complete.  Seeing the train approach the station and not wanting to miss the train, she took a picture of the page and the information board and rushed to the platform, hoping if she did get a parking ticket, she could sort it later, and didn’t think much of it for the rest of the day.

A few days later, she received an unexpected phone call; the number displayed showed it was coming from her bank.  The person calling informed her that they thought there were some fraudulent transactions on her debit card, a few of which were £100 each.  The caller said not to worry, the transactions would be sorted, and a new card would be sent.  This call was genuine… However, she received another call a few days later about her credit card. The caller again advised that they believed that there were fraudulent transactions on her account, and asked her to go through some data security checks - her name, date of birth, standard things you might be asked if you call a company.

This second caller then went through some transactions made on her account and seemed to be very well-informed about her spending, confirming some transactions down to the penny that Sue had actually made.   She was then asked if she had any other cards with the same bank, and was asked what her credit limit was.  Sue, seeing red flags at this point, hung up.  Within the next 10 minutes, that caller had successfully managed to apply for a loan with Sue’s bank, in Sue’s name, for £7,500.

Sue immediately called her bank, and by the time she was connected with the credit card team, another £ 4,000 had been taken from her card by the scammer. While talking to the bank, the scammer was still continuing  to make further attempts, showing she could have lost even more in this scam and to rub salt into the wound, the fraudster had used Sue’s online banking to change the address on the account, so new cards would be sent to other members of the gang meaning this scam could have continued on for a very long time.

All charges and the loans taken out by the scammer were either cancelled or returned to Sue.  However, it would take months for her credit card to be unfrozen, and she needed her family's help to get through the period.  The Scammer had managed to net £4700.  In response, the train company has now removed QR Codes from all of its stations. Elsewhere in Yorkshire, a man unknowingly subscribed to a £39 monthly subscription when he thought he was paying for parking using a QR code, leading the council to consider removing QR codes from all its car parks. Even legitimate parking apps, like RinGo, are advising people not to use QR codes.

——

Organisations like Action Fraud in the UK and the FTC in the US are reporting an explosion in QR Code scams; some reports even suggest they’re starting to challenge bad links in Emails, with over 25% of all scam links now being done via QR codes.

This isn’t just a parking thing.  There are reports of some individuals receiving unexpected deliveries, accompanied by a label instructing them to scan a QR code if any issues arise. They’ve also been spotted in fake delivery emails and messages.

The most worrying thing about this type of scam for us, however, is that they're easy to set up - you don't even have to pay for your own QR code. A simple search will reveal dozens of companies offering to generate a QR code for free; some don't even require your details or set up an account; all you need to do is have that code point to the website of your choice;  Many online website hosting companies advertise their AI can set up a site for you in minutes meaning this scam is very easy to set up.

All you then need is a printer and a sheet of blank mailing labels, which are available at any stationery store or your favourite online marketplace.  Stick it over a legitimate QR code, perhaps with another label that says you can scan the code to pay online, and your trap is set.  What you then do with it - Take payments, steal credit card numbers, even set people up to download a virus, or just get a sucker list for more sophisticated scams later, whatever scam or hack you want to pull is up to you, for pretty much no cost or effort.  Obviously, we don’t recommend setting up a scam, but it illustrates how easily it can be done - it only takes minutes.

Obviously, the safest thing you can do is not scan QR Codes at all, especially those in public.  If your phone generates QR codes for your bus or train ticket, these are fine to use. However, if you see a QR code in an open public area, such as a car park, do not use it.  Action fraud claims that QR codes in places like Restaurants and bars are safe to use, such as when you’re using your phone as a menu. However, before scanning, give it a look. If it looks like something has been pasted over it, don’t use it.  Most places will be happy to offer you a paper menu and take your order the old-fashioned way if you choose.

If you’re creating QR Codes for others to use, don’t use black and white ones.  Instead, add your branding and create them in your brand’s colours and with your logo in it - you might have seen Snapchat put their little ghost in theirs.  This isn’t foolproof; a scammer still could match your brand colours, but it would mean they have to create a special sticker just for your company with your logo and colours on it for it not to stick out, and scammers are very much opportunists; if there’s an easier mark than you, the scammer will probably go for them.

I've been Cee, and this has been Scams, Hacks, and Frauds. Instead of just remembering to like and share this story, pass this episode to one person you wouldn't want to see scammed today. Sharing these stories is our best protection against scammers,  keeping us all safe.