How to check if a QR code is safe: With QR code scams popping up, what to look out for

The sign on the post at the pizza joint in Detroit had just one word on it, "Dog," and a QR code. My first reaction −and unfortunately this is how it goes when you write a little too much about fraud − was to tell my 7-year-old buddy who was cuddled next to me in the booth that the sign was a total scam.

Or maybe, I told her hopefully, something for a scavenger hunt, which she then immediately wanted to go on after we ate.

Her dad, my brilliant nephew, solved the mystery by taking his cellphone to the square barcode on the sign to discover, sure enough, it was a promotion for a local artistic endeavor. So much for Auntie Sue's scam of the week.

Can someone steal your info with a QR code?

No, every sign you see with a black-and-white barcode isn't a scam. Sometimes, it is just a contactless way to view the menu. Or process tickets. Or tempt someone into learning more about a student-produced movie.

Even so, the crooks are cleverly using these digitally readable squares as a way to cause big trouble. We're aware of the mayhem that can be caused if we click on malicious links sent through emails or texts, which can enable scam artists to steal personal information or get you to download malware onto your smartphone. But we're likely to be less on guard when it comes to QR code scams.

The fake QR codes can be physical, such as something posted on a sign or fake postcard, or digital, such as ones sent via email.

QR — or "quick response" — codes are a bit like a shortened URL when it comes to fraud. Like that sign at the pizza place, you're not able to see where clicking on the square will take you. Criminals can disguise their motives and abuse the technology.

Con artists can, and do apparently, slap a sticker of their own barcode on top of a legitimate QR code, so you want to look for odd stickers or other signs of tampering.

"Con artists can easily create a QR code for free online, which they then print on stickers and either cover up an actual QR code or place where it makes logical sense," according to a BBB alert last year.

What is an example of a QR code scam?

One trick that seems to have worked in several cities: Scammers put up stickers with fake QR codes at some parking lots, which end up taking drivers to websites that asked them to enter their credit card or bank account information. The fake QR codes can also be stuck onto the back of parking meters.

A consumer in Grand Haven, for example, saw a cardboard sign to "pay for parking" at the start of a hiking trail, according to a report filed with the Better Business Bureau in May.

But it turned out to be a scam. The consumer later discovered that $39.95 was being charged to her credit card each month for an entertainment website, including music and videos, according to Kelly Johnston, public relations and marketing manager for the Better Business Bureau Serving Eastern Michigan.

Consumers in other states have complained about similar parking-related scams to the BBB. One victim was misled to a site that ended up charging $49.99 a month for some subscription service. In that case, the scam started with a $1 fee being charged and then the huge monthly fee cropped up later.

In some parking scams, the consumer pays through the fake code but ends up with a parking ticket or even being towed for nonpayment − which only adds to the misery and money lost to such scams.

SOS!Here's how to set your phone's emergency settings and why it may be a life-saver

How do I authenticate a QR code?

The danger lurks when malicious QR codes take you to a “phishing website.” Scammers create sites that look convincing and ask for personal information. The problem? Whatever information you give on this site will go directly to scammers.

Nessel noted that QR codes also can be used in phishing emails. QR codes are not picked up by security software, unlike attachments and links.  

And troublemaking codes can be used to download malicious software such as malware, ransomware, and trojans. "These viruses can spy on you, steal sensitive information or files (like photos or videos), or even encrypt your device until you pay a ransom," according to the Michigan AG's alert.

Or the codes can be programmed to open financial apps on your smartphone — or social media accounts and email accounts. Then, scammers are able to compose and send messages to your contacts using your email or social media accounts.   

You'd want to disconnect if you scanned on the code and then were asked to provide financial information or are threatened in some way. If the information looks odd or anything seems suspicious, disengage.

How do you know the QR code is real or fake?

The FBI issued an alert early last year that noted that cybercriminals can leverage the stolen financial information to withdraw money from victim accounts.

The FBI warned: "Do not download an app from a QR code. Use your phone's app store for a safer download." Experts warn that the malicious app could potentially record the consumer logging into their banking app, triggering financial havoc. You don't want to get into a situation where you end up forwarding the SMS one-time security code to the fraudster.

Other FBI tips:

• Do not scan a code if it is on a sticker, looks like it has been replaced, or is covered up.   
• Do not download a QR code scanner app, which increases the risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• Avoid making payments through a site that pops up after scanning a QR code. Instead, manually enter a known and trusted URL to complete the payment.
• After scanning the code, see if the URL you are taken to is a secure one that begins with “https.”
• Be cautious if you receive an email from a company that states your payment failed to go through. Con artists impersonate companies and state that you can only complete the payment through a QR code. Call the legitimate company directly to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.

Given the constant threat of scams, the American Bankers Association advises that you log out completely when you finish a mobile banking session. Use the passcode lock on your smartphone and other devices to make it more difficult for thieves to access your information if your device is lost or stolen. Beware of apps that ask for unnecessary “permissions” and delete unused or rarely used apps. Avoid storing sensitive information, like passwords or a Social Security number, on your mobile device.

If you believe you have been a victim of QR code fraud, report it to your local FBI field office and to the FBI Internet Crime Complaint Center.

Contact personal finance columnist Susan Tompor: [email protected]. Follow her on Twitter @tompor.