QR codes could lead to identity theft, FTC warns

Federal regulators are warning about a new tool for scammers to steal your information – QR codes.

QR codes – a type of barcode that can easily be read by a digital device – have exploded in popularity since the pandemic. They’re used to view menus and order from restaurants, to pay for parking, to get into concerts and sporting events, to board flights and more.

According to the Federal Trade Commission, scammers are hiding harmful links in QR codes to steal your information. Here’s what to know. 

How are scammers using QR codes to steal information? 


A parking QR code in Atlanta. The FTC warns scammers are using the digital codes to steal your information (Getty Images)

The FTC says there are several ways scammers use QR codes to steal.

MORE: What is the 'card draining' scam? Police warn holiday shoppers purchasing gift cards

There are reports of scammers covering up QR codes on parking meters with their own malicious QR codes.

Other "crafty" scammers send QR codes by text message or email and give you fake reasons to scan it, such as:

  • Saying they couldn’t deliver your package and need you to scan the code to reschedule.
  • Pretending there’s a problem with your account and telling you to confirm your information through the code.
  • Tell you they noticed suspicious activity on your account and that you need to scan the code to change your password.

"These are all lies they tell you to create a sense of urgency," the FTC warns. "They want you to scan the QR code and open the URL without thinking about it.

MORE: How to help older people in your life avoid scams this holiday season

"A scammer’s QR code could take you to a spoofed site that looks real but isn’t. And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it."

How can you protect yourself?


G's Carpet Cleaning service van, parked in Queens, New York. (Photo by: Lindsey Nicholson/UCG/Universal Images Group via Getty Images)

The FTC suggests if you see a QR code in an unexpected place, you should inspect the URL before opening it.

Look for misspellings, switched letters and other signs that the code is spoofed.

The FTC says not to scan a QR code in an unexpected email or text message — "especially if it urges you to act immediately."
"If you think the message is legitimate, use a phone number or website you know is real to contact the company," the FTC says.

Make sure your phone’s operating system stays updated to protect against hackers and other security threats. Always use strong passwords and multi-factor authentication.