QR codes may be a gateway to identity theft, FTC warns

Westend61 | Westend61 | Getty Images

You may want to think twice before scanning that QR code.

The codes — a digital jumble of black and white squares, often used for storing URLs — have become seemingly ubiquitous, found on restaurant menus and in retail stores, for example. However, they can pose risks for the unwary, the Federal Trade Commission warned Thursday.

About 94 million U.S. consumers will use smartphone QR scanners this year, according to a projection by eMarketer. That number that will grow to 102.6 million by 2026, it said.

There are countless ways to use them, which explains their popularity, according to Alvaro Puig, an FTC consumer education specialist, in a consumer alert.

“Unfortunately, scammers hide harmful links in QR codes to steal personal information,” Puig said.

More from Personal Finance:
IRS rejects more than 20,000 refund claims for pandemic-related tax credit
Credit card debt is biggest threat to building wealth, poll finds
Not saving in your 401(k)? Your employer may re-enroll you

Why stolen personal data is a big deal

Here’s why that matters: Identity thieves can use victims’ personal data to drain their bank account, make charges on their credit cards, open new utility accounts, get medical treatment on their health insurance and file a tax return in a victim’s name to claim a tax refund, the FTC wrote in a separate report.

Some criminals cover up the QR codes on parking meters with a code of their own, while others send codes by text message or email and entice victims to scan them, the FTC said in its consumer alert.

The scammers often try to create a sense of urgency — for example, by saying a package couldn’t be delivered and you need to reschedule, or that you need to change an account password due to suspicious activity — to push victims to scan the QR code, which may open a compromised URL.

“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” Puig wrote. “And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”

How to protect yourself

Here’s how to protect yourself from these scams, according to the FTC:

  • Inspect URLs before clicking. Even if it looks like a URL you recognize, check for misspellings or a switched letter to ensure it’s not spoofed.
  • Don’t scan a QR code in a message you weren’t expecting. This is especially true when the email or text urges fast action. If you think it’s a legitimate message, contact the company via a trusted method like a real phone number or website.
  • Protect your phone and online accounts. Use strong passwords and multifactor authentication. Keep your phone’s OS up to date.

Don’t miss these stories from CNBC PRO: