QR codes are still being hijacked for subscription traps and scams
Have you spotted a recurring payment to a company you’ve never heard of? You’re not alone, as subscription traps - often linked to dodgy QR codes - are one of the most commonly reported complaints to the Which? scam sharer tool.
People find they've been charged for subscriptions they didn’t sign up for after trying to download apps on their phones, or scan QR codes in restaurants, pubs, shops, bus stops, stations and car parks. Others notice payments to brands they don't recognise, but don't know where these companies got their card details from.
There's no doubt that scammers have sensed an opportunity to abuse Quick Response (QR) codes, those black and white patterned squares you scan with a smartphone, to be directed to a website. Only last month, Greater Manchester Police warned of a ‘steep rise’ in QR code fraud, particularly in open spaces such as car parks.
Here, we look at recent subscription traps reported to Which? and offer our tips to help you use QR codes safely.
Sign up for scam alerts
Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.
Sign up for scam alerts
‘I was duped by a QR code in a garden centre’
One company that keeps popping up in reports to Which? is called Digotech Ltd. It describes itself as a digital entertainment provider and uses various branded websites including:
- bechef.club
- chefbe.club
- bevod.club
- vodbe.club
- begame.club
- gamesbox.pro
- boxgame.pro
We received 15 reports about these brands in the past year, all from people who said they found charges of up to £39.99 per month for unwanted subscriptions.
Patricia got in touch with Which? after her credit card provider, Barclaycard, refused to refund a recurring transaction she says she didn't authorise.
‘I was duped by an online pop-up when downloading an app in a local garden centre. I used my phone to scan a QR code - you needed the app to order food. I was charged £1 but it said this would be deducted from the food bill. A week later, another £39.99 was taken. I thought online you had more protection.’
Her credit card statement shows that the two payments went to PYD*Chefbe.Club - which has nothing to do with the garden centre - yet Barclaycard initially told her she would not be refunded because she had accepted a free trial and entered into a contract with the company.
- Find out more: what are QR codes and are they safe to use?
How does a QR code subscription work?
It’s impossible to determine exactly how Patricia's QR code subscription happened.
QR codes can be tampered with, for example, scammers are known to place fake QR code stickers over real ones on parking meters.
They can use QR codes to hide harmful phishing websites and misleading adverts, or infect your device with malware. Both have been linked to third party QR code scanner apps (instead of the built-in scanner that comes with Android and iPhone camera apps).
Other complaints we've seen about Digotech were similar to Patricia's, for example, one person was at a local farm shop and scanned a QR code to enter what he thought was a competition on the farm shop’s website.
He said: ‘I naively filled in all my details including - very stupidly - my bank account numbers as I assumed it was legitimate. I then got a "thank you for subscribing to BeGame" message saying that in five days time I would be debited £39.99 every month! I immediately contacted my bank to stop the card and block any future attempts to debit my account.’
Another was trying to buy a birthday card online yet somehow ended up clicking on a pop-up advert that she thought was connected to the retailer, but linked her to Gamebox.pro instead.
Several people accused Digotech of making it difficult to cancel these subscriptions, telling us the email confirmations listed no phone numbers and the links to ‘cancel’ didn’t work.
Online reviews for brands including Bechef.club and Gamesbox.pro are overwhelmingly negative and match the complaints shared with Which?.
What does Digotech say?
We put these reports to Digotech and explained that people believe they’ve been scammed because they were charged when trying to access goods or services from companies that have nothing to do with Digotech brands.
A spokesperson told us it believes complaints are related to the placement of a marketing banner 'potentially causing confusion'. It uses social media and Google Advertising Network to promote its brands.
'We do not control where or which banners are placed within third-party websites or applications. So whilst we label our marketing clearly with our service name and domain, occasionally consumers click on our advertising banners mistakenly confusing them as being part of the originating application or website.'
‘For the avoidance of doubt, Digotech's websites, payment page and terms and conditions make it extremely clear that we are separate from any third-party service or advertiser, and our payment flow (pricing and terms) is indicated clearly and transparently.’
If you notice a payment to a Digotech brand that you don’t recall authorising, you are encouraged to contact its customer care team for a full refund (you can use support@gamesbox.pro, for example).
Digotech said it can also use the transaction information to identify the related application or website, and if necessary, manually block its marketing from being published there.
Getting your money back
Banks report companies if they see a trend in disputed payments among customers, so it's important to contact your card provider if you spot a recurring payment you didn’t authorise.
It can put a stop to future payments if you are unable to cancel a subscription, though getting a refund for money you’ve already lost can be more difficult, as it may appear to be fully authorised.
If the company in question won’t refund you, ask your bank to help and escalate your case to the Financial Ombudsman Service (FOS) if you're not happy with its response.
Patricia did get the £39.99 back from Digotech, after we encouraged her to email its bechef.club customer support team and explain that she had never requested its services. But we’re disappointed that Barclaycard didn’t do more to help.
We think it failed to adequately investigate the disputed transaction, something we see too often in cases of disputed subscriptions and recurring payments, though it has since offered £50 compensation.
Barclaycard said: ‘Our customer contacted us after unwittingly signing up to a subscription service and noticing their Barclaycard had been charged an unexpected amount. Unfortunately an error was made meaning the initial amount was not refunded as quickly as it should have been. We have since corrected this and apologise for the delay our customer faced.’
- Find out more: use our free tool to make a Section 75 or chargeback claim
5 ways to use QR codes safely
- Check for evidence of tampering when you scan QR codes in public spaces, as someone may have placed a sticker over the real one, or it may look out of place. If in any doubt, type in the web address manually to visit the correct website.
- Don't use an app to scan QR codes as it increases the risk of downloading malware or being redirected to a misleading advert. Most phones have a scanner built into the camera, so use this instead.
- Preview the web address as you start to scan it - you should be able to inspect the link by clicking on additional settings within the scanner, or you could turn off internet access for your device (put it on airplane mode) and open the link to view the address details first. If it doesn’t begin with ‘https’ or the website's address is different to what you were expecting, then don't visit it.
- Don't use QR codes to download apps as this increases the risks of installing something malicious. Use a verified app store instead (Play Store at play.google.com or App Store at apps.apple.com).
- Avoid QR codes in emails as scammers are increasingly using QR codes to disguise malicious links, as email security tools don’t always scan images.
