QR Code 'Brushing' Scam: Can Someone Really Steal Your Information With a Scan?
The holidays are fast approaching and the season of giving will soon commence. Many have begun buying their gifts in advance, but some are already receiving gifts in advance. The kicker? They don’t know who it’s from.
This phenomenon took social media by storm in the latter half of September 2024 when the Akron Police Department made a Facebook post regarding a recent brushing scam.
The post, made on September 17th, explained brushing and the kinds of packages victims could receive. The packages did not include any information about the sender, but they did include a QR code.
When scanned, the QR code would allegedly tell recipients where the package came from. According to the post, many states have recently experienced brushing scams.
The police department also warned Facebook users of the dangers of scanning these QR codes, stating:
“Once the code is scanned, all the information from that phone will be sent to scammers. They receive all access to the phone. All personal and financial information is accessible to the scammers, and often the victim's bank accounts are drained.”
The police department concluded the post by urging everyone to warn their family members and avoid scanning unknown QR codes.
Table of Contents
QR code gifts, but for who?
It should be noted that brushing isn’t a new concept. While there seems to be a recent but sudden surge across many states, cases of brushing scams can be traced as far back as 2020.
In July of that year, thousands of Americans received mystery Amazon packages containing plant seeds.
According to the online retail giant, seeds from at least 14 plant species were sent to unwitting residents, most of them from China. This led Amazon to ban the selling of foreign plants to the US in September of that same year.
Other countries have also experienced these brushing scams, particularly Scotland, where farming leaders had to issue a warning to prevent the planting of any unsolicited seeds.
But what is the reason for these packages?
According to the United States Postal Inspection Service, brushing is when a person receives parcels they did not order or request. These packages are usually addressed to the recipient but will lack the sender's or retailer's return address.
Despite this lack of return address, the sender is normally an international, third-party seller whose goal is to boost their ratings and artificially inflate sales. They do this by writing positive but fake reviews under the names of their victims.
As to how these scammers found the addresses of their victims, it could be from information available online or from data breaches and compromised accounts.
In more recent times, it seems that scammers have taken a new step to gain more from their brushing scams. Using QR codes, they have added another layer of malice to their packages.
At the moment, the purpose of these QR codes is still unclear. However, the Akron Police Department claims that these malicious QR codes are used to steal all information from the scanning device.
Can a QR code scan actually steal your data?
While QR codes are effective gateways to information, are they really capable of stealing information when scanned?
Similar to how seemingly harmless technology can be used for nefarious purposes, bad actors can create QR codes to harm unsuspecting people.
Fake QR codes are dangerous and should not be taken lightly, but they are incapable of taking information on their own. Instead, they help scammers and hackers get your information in other ways.
An example is a scam in Singapore in 2021. A 60-year-old woman scanned a QR code at the door of a bubble tea shop.
Thinking it was a promotion for a free cup of milk tea, she downloaded a third-party app and answered a survey. Using the application, scammers took over her device and stole $20,000 from her bank account.
It is important to remember that businesses and brands with good intentions would only use a trusted QR code generator with logo to make their QR codes. Still, many experts advise users to avoid scanning unknown QR codes.
Jason Meza, Senior Director of Media Relations for the Better Business Bureau, said in an interview with KCEN, "Don't scan the code, simply don't perform the action right away."
"You're following instructions that you don't know who the code came from, and in reality, it's probably from a scammer,” he continued.
In light of this scam, both the Federal Trade Commission and the American Association of Retired Persons urged people not to scan unexpected QR codes.
Legitimacy versus malice: A challenge in QR code adoption
With the rise in QR code popularity comes the increase in fake QR codes. Fortunately, there are many ways to determine if a QR code is harmful or not.
One way is to check the URL encoded in the QR code before visiting it. Most QR code scanners come with this feature, allowing users to check the link’s legitimacy. From there, they can choose between accessing the link or leaving it alone.
It is also worth mentioning that trustworthy brands will always make use of safe and secure QR code platforms that come with data encryption.
These platforms also comply with regulations and standards that protect a user’s information, such as the ISO-27001 standards and the California Consumer Privacy Act.
In the end, legitimate QR code users won’t be seeing the end of QR code scammers and cyberhackers. However, with the right tools and practices, the world can prevent the harmful use of these 2D barcodes.
