Warnings Over QR Code Scams That Are Sweeping the UK & Costing Victims Thousands

The rising popularity of QR codes has created a new and easy opportunity for criminals to scam victims by duping them into:

• Accessing fraudulent or fake websites
• Downloading malware onto their device
• Providing sensitive information such as login credentials and bank details

In some cases, the malicious QR code will even be placed over genuine codes, such as on menus or parking meters so that the fake code does not stand out as unusual.

The BBC recently reported on an individual in North Yorkshire who lost £13,000 to a QR code scam at Thornaby train station. The 71-year-old victim, who wishes to stay anonymous, scanned a QR code at the station’s car park to pay for her parking; it was later discovered that the one she scanned was fake.

The fake code sent the victim to a fraudulent website, which allowed the scammers to collect her bank and personal information. They tried to use her details to make a series of transactions, which her bank initially blocked. At this point, the scammers called the victim, claiming to be from her bank, referencing genuine transactions, and gained further details from her, which allowed them to:

• Take out a loan of £7.5k in her name
• Set up online banking in her name and change the address for the new cards
• Run up thousands of pounds of debt in her name

The victim’s bank has since written off the loan and refunded the fraudulent transactions, but the victim is left feeling shaken and unable to trust anyone.

Transpennine Express, the rail company in charge of the car park where the victim was scammed, removed all QR codes from its 100+ car parks in September 2023 after a rise in reports of similar scams.

Newcastle City Council has also warned the community about QR code scams after at least three victims were targeted in the area in under two weeks. The council does not use QR codes to take payment for car parks, but the unofficial signs were clearly convincing enough to dupe a number of unfortunate residents.

According to Action Fraud, the UK’s national reporting centre for fraud and cybercrime, January to September 2023 saw more QR code scam reports (411) than seen in the whole of 2022 (380) or 2021 (291).

Unfortunately, QR codes are commonplace in modern society, so avoiding them completely may prove tricky if you want to access information conveniently. It is, therefore, crucial to know how to protect yourself from a less-than-legit code before inputting your private information.

Some top tips to avoid QR Code fraud include:

• Remain cautious of any unsolicited QR code you receive, e.g., via email, text, or physical materials such as leaflets.
• Looking out for mismatched URLs or branding; for example, if you plan to pay for parking, does the URL that pops up when you scan the QR code exactly match the URL for the parking company? If not, this may be a phishing attempt, and you should abandon the transaction.
• Also, make sure that the URL has the “https://” protocol or other security features (such as the lock symbol in the URL box) to ensure encryption. Sites without this could be scams.
• Has the QR code been physically stuck on top of another code? Scammers may overlay their code on a legitimate one, and sometimes, the quality of the code will be low.
• Be wary of any QR code that prompts you to fill in personal information straight away.
• If a QR code asks you to allow unusual permissions or download an app, ensure you have thoroughly reviewed the permissions requested and the app details, as these could enable scammers to access your device.
• If in any doubt, don’t use the code.

While QR code scams are a relatively new phenomenon emerging in recent years, the tactics used are tried and tested by scammers and involve what is known as Authorised Push Payment (APP) fraud.

APP fraud occurs when a victim is tricked into authorising a payment to an account that they believe belongs to a legitimate payee – e.g. a car park operator, a Wi-Fi provider, etc. – but, in reality, it’s controlled by a scammer. This type of fraud often involves social engineering tactics to manipulate individuals into making the payment willingly, such as providing a QR code where the victim would legitimately expect to see one.

Unfortunately, as the victim believes that the payment is real at the time, they do not uncover the scam until after the funds have been moved on, making it difficult to recover. Victims should immediately report the scam to Action Fraud, the police, and their bank, who will perform an investigation and, in some cases – like the victim in Thornaby – refund the money lost.

However, some banks may refuse to refund on the basis that the responsibility for the loss lies with the victim. In this case, the complaint can be escalated with the bank itself or, if it continues to refuse compensation, taken to the Financial Ombudsman Service (FOS) for an independent investigation. FOS is an independent, Government-backed body responsible for investigating and resolving disputes between financial institutions and their customers.

Sarah Spruce, Legal Director and Head of the Scams and Fraud team at TLW Solicitors, commented:

“While QR codes are super convenient for the modern world, they have also opened up a huge opportunity for scammers which can’t be ignored. If you, or a friend or loved one, has lost money due to a QR code scam and your bank refuses to compensate, contact our Bank Negligence team to explore your options.

FOS claims can be time-consuming and challenging for scam victims, as there are tight deadlines and complex requirements, so it is a good idea to seek advice from a firm experienced in successfully dealing with them, giving you peace of mind knowing that your case is in the best hands and helping you recover the compensation you are owed.”