Watch out for dodgy QR codes that could be scams

QR codes exploded during the Covid-19 pandemic as an efficient way to keep people at a safe distance, allowing customers to order food or drinks in bars and restaurants without interacting with staff.

Now, they’ve become part of our everyday life. When we come across one in a public place, we often don’t think twice before pulling out our phones to scan it and follow the instructions that come up.

But QR codes are increasingly used as a tool by scammers taking advantage of our trust in the little black squares. Dodgy QR codes are one of the most common complaints to the Which? scam sharer tool, the consumer group say.

Victims of these scams have been charged up to £39.99 a month through subscriptions they didn’t willingly sign up for.

How do QR code scams work?

Fraudsters can tamper with existing QR codes by placing fake stickers over them.

If you scan a dodgy QR code in a restaurant, it can infect your device with malware – software designed to damage your device or give unauthorised access – or direct you to an app to order you food. Once you’ve given your card details, a subscription is set up without your knowledge.

Drivers are a common target. Earlier this month, drivers were warned about a rise parking app scams using QR codes to trick people into setting up recurring payments.

How can I avoid dodgy QR codes?

Look for any signs to suggest the code may have been tampered with. Does it looks out of place? If you’re not sure, type in the web address into your browser instead.

As you start scanning a code, check the web address that comes up. If it doesn’t start with ‘https’ or it’s not what you expected, don’t click on the link.

Try not to use QR codes to download apps. Instead, search for the app in your play store if you have an android, or in the app store if you’ve got an iPhone.

It’s also best to avoid using a QR scanner app – these increase the risk of being misdirected to a scam ad. Use your phone camera if you can – most have a scanner build into them.  

Scammers are increasingly putting QR codes in emails, so if you receive an email with one, don’t scan it.

Which? say they’ve received several reports of unwanted charges to the following websites:

• bechef.club
• chefbe.club
• bevod.club
• vodbe.club
• begame.club
• gamesbox.pro
• boxgames.pro

These sites are associated with a company called Digotech, who say they’re a digital entertainment provider. After being questioned, Digotech told Which? they believe complainants had accidentally clicked on some of their ad banners without realising they were separate from the websites or apps where the banners were advertised.

How do I get my money back?

If a payment to a Digotech brand has been taken out of your account and you don’t remember approving it, contact their customer care team asking for a full refund – for example, email [email protected].

Contact your bank if you aren’t able to cancel your subscription. They can stop future payments and report the company.

If the company won’t refund you and your bank say they won’t either, you can complain to the Financial Ombudsman Service to try and get your money back.

Find out more about how to protect yourself against scams in our guide on outsmarting online scammers.