.svg)
.svg)
.svg)
QR codes are often used by businesses and organizations as a way to allow you to access further information, like a restaurant menu or company website. QR codes work well in this way because they are small, compact, and only require a simple phone scan for access.
But like all things digital, there’s the risk that cybercriminals and hackers can replicate QR codes or hack into real ones and direct you to malicious links or install malware. So, how can you avoid this issue?
Read on to learn more about how to spot fake QR codes, how to avoid interacting with them, and what types of common QR code scams are out there.
What Is a QR Code?
A QR code or Quick Response code is a unique 2-D code of black and white square, line, or blob combinations that you can scan with your phone camera. It essentially works like a regular barcode at a store, allowing the scanner to access information contained within the code.
Typically, QR codes will route you to an online website related to the company that provided it. Examples of things QR codes can be used for include:
- Company websites or online stores
- Restaurant menus or prices
- Information about public transit, health, current events, museum exhibits, etc.
- Instructions for how to use/operate something
- Guides/maps for navigation
- Join Wi-Fi networks
- Method of payment
How QR codes can be used is limited only by your imagination. Their ability to redirect the user to any link of the owner’s choosing makes them extremely convenient and easy to use. Unfortunately, the frequency with which people use QR codes makes it even more important to learn how to avoid scammers.
How To Scan a QR Code
QR codes are relatively new and have spiked in popularity in the last few years since they provide a way to avoid physical contact or interaction. However, unlike many high-tech inventions of today, QR codes could not be easier to use.
All you have to do is open the camera app on your smartphone, make sure it’s on photo, and point your camera at the QR code. You want your camera to be a few inches away from the code, close enough that it's in focus and can be clearly seen but not so close that it’s warped and blurry.
Once you have it in frame, your phone should automatically identify it as a QR code, and a link underneath the code will pop up. Click on the link, and it will immediately take you to the website via your Internet app.
If the website doesn’t automatically pop up, you can tap on the spot on your screen where the QR code can be seen to make sure your camera identifies it. From there, the link should appear.
What Is a QR Code Scam?
With a legitimate QR code, you will be directed to a helpful website that allows you to interact in more detail with a specific company. With a fraudulent QR code, you might be directed to a site that contains malware, malicious links, or other tools that threaten your cybersecurity.
Free QR code generators exist online, so it is fairly easy for anyone to make a fake QR code. Since even real QR codes are just a combination of random black and white shapes in a complex pattern, it makes it very difficult to tell if someone has replaced the real code with one of their own. Especially if you’ve never seen that code before. You would never notice it’s fake.
Scammers know this and they will sometimes print out stickers with their own QR code on it. Then, they put that sticker over the real code and the next time you scan it, you’re directed to their site instead. An example of this is replacing a code on a parking meter where you’re supposed to scan it to pay.
If they don’t directly replace an existing QR code, fraudsters will also likely put their fake code in a spot where it would be reasonable for a real code to be. This includes places like street sign poles, the sides of shops and restaurants, and public places like libraries or parks. The goal is to make the code seem real so you’re more likely to scan it.
Fake QR codes don’t have to be placed in physical spaces—they can also be included in emails, on posters and flyers, or in social media posts. Anywhere that serves as a jumping point for ads or information works. Make sure you look out for fake codes in these places as well to avoid scammers.
People have often been told to watch out for malicious links and scam emails, so some hackers have switched to using QR codes. A QR code doesn’t seem as suspicious as a random link. Surely if an email comes with a legit looking code it can’t possibly lead to a fake site, right?
QR codes are also most easily accessed with a personal phone rather than a computer. Your phone might not have as many firewalls and security measures in place as a computer, making it easier to exploit. All of these reasons contribute to some hackers choosing malicious QR codes over other types of scam tactics.
Types of QR Code Scams
There are a variety of common QR code scams you should look out for. The two big ones to keep in mind are scams that result in you downloading malware onto your device and phishing scams.
Malware
Malware is malicious software that works to actively harm your device. Cybercriminals can use this software to illegally collect personal data like credit card numbers from your device, send you unwanted ads and content, or demand payment for the return of your stolen data.
Malware often also affects the performance ability of your device, causing things to load slower, glitch, and drain your battery quickly. The installation of malware and subsequent collection of your data can also result in things like identity theft.
Just because you scan and open a fraudulent QR code doesn’t mean you automatically have malware installed on your device. Many malware scams work by prompting you to click on an additional link or download something before they fully install.
Different types of malware include:
- Spyware: software that secretly sends data about a device and its activities to the person running it
- Ransomware: software that blocks access to a device until that person pays a ransom sum to the hacker
- Viruses: software that infects and damages a device and/or its data
Phishing
Phishing scams are a very common type of digital scam tactic. Hackers pose as real companies or people to seem credible and then request personal information from you under the guise of needing it for a specific reason. Phishing attacks can be easier to fall for because the scammers do their best to seem like legitimate companies. There are often phishing emails, phone calls, and text messages that will pop up on your phone from time to time. QuishingQuishing is the term used for phishing scams that involve QR codes. Quishing scams can appear in emails, social media posts, or out in the world. The fake QR codes that are part of this might send you to a phishing website that asks for your payment information, email address, or phone number. The hacker gets full access if you enter and submit any of that information. If you send something sensitive, like bank account information, the damage could be even more severe.
8 Examples of Common QR Code Scams
Now that you know the basics of QR code scams, let’s get into some specific examples of scams you might come across if you scan a fake code. The more types of scams you’re familiar with, the less likely you are to fall for even the most convincing ones.
1. QR Code Email Scams
A common phishing/quishing scam tactic is emails with fake QR codes. The sender will likely pose as a legitimate company and ask you to scan the QR code to make a mandatory payment by entering your credit card information, access your account where you need to update personal details, or some other false call to action.
Email scams can also come in the form of fake giveaways, prizes, and rewards. Who wouldn’t want to click on an email that says you won a free car if you scan the QR code to view your reward? Most of these will seem way too good to be true and as tempting as it is, it’s best to avoid clicking on them all together.
2. QR Code Package Scams
Receiving a package is always exciting. But if you get a package with a QR code on the outside, never scan it. Cybercriminals have developed a strategy where they send you a package you never ordered with a QR code sticker on the box. The code will likely say you can scan it to get more information about the order.
Since you’ll want to return the item you didn’t order, you’ll scan the QR code to get more information about how to do so. From there, the website you’re taken to will likely ask for credit card numbers or other sensitive information to complete this action.
3. QR Code Cryptocurrency Scams
Cryptocurrency is a digital currency that can be bought and sold through a central online bank. Because everything with crypto occurs digitally, QR codes are often used for transactions and serve as a tangible resource. The specifics of crypto are also widely unknown to many people, making it easier to trick them into buying or selling.
Cybercriminals can send you a QR code in an email claiming to offer giveaways, investment opportunities that are too good to be true, or advice on how to invest. Once you send over a portion of your crypto in the hopes they’ll make you more money in return, they’ll take your money and disappear.
4. QR Code Payment Scams
Payment scams include anything that asks you to pay for something through a QR code but then sends your money straight to the hacker instead. Because QR codes are sometimes used as a method of contactless payment, it’s fairly believable that a company or restaurant might want you to pay that way. Cybercriminals will commonly use this tactic on unmanned parking meters, tricking you into paying them instead of the real company.
5. QR Code Donation Scams
Unfortunately, not even donating to charity is always safe. Hackers can claim to be part of charitable organizations and ask for your money or credit card information so you can donate. The QR code you scan may even take you to a legitimate-looking charity website.
These codes might be on emails, flyers, or social media posts. The best practice here is to only ever donate through the charity’s official website, not through any sketchy QR codes you receive.
6. QR Code Restaurant Scams
QR codes are more commonly used for contactless menus than before due to the pandemic. They are often on a small poster at the table or stuck to the table itself. If you scan a restaurant QR code that’s been tampered with, you might get directed to a malicious website instead of the menu.
If the scammer is really sophisticated, you might see something that looks like a menu but is in fact a fake website ready to install malware. But this level of professionalism is rare. If you’re worried about scanning a fake code, you can always ask the server for a physical menu if they have them.
7. QR Code Health Scams
Covid made everyone more aware of and cautious about basic health concerns. And going to a local clinic to get tested became a frequent trip for some. At these sites, QR codes are sometimes used to sign in or access results. The same could be true for other general health clinics.
Once you scan these codes, you may be prompted to put in more personal information than usual, like your social security number. Covid is less prevalent now than it once was, but it’s still a good idea to only get tested at well-known sites that are less likely to be tampered with.
Under the health category, scammers can also use fake QR codes claiming to provide information about a recent disease outbreak or other public health-related issue. It’s understandable that this would be concerning, and you might be tempted to scan it to find out more. But from there, you’ll likely be directed to a malicious site.
8. QR Code Social Media Scams
Another category of QR code scams is on social media. Social media is full of advertisements, marketing, and occasionally QR codes, so it’s not totally strange for you to find one there. Businesses might use a QR code on social media to redirect you to their main website in hopes you’ll make a purchase.
Though QR codes might appear on legit social media sites, it’s important to remember that most people use social media with their phones. And your phone has a built-in QR code scanner, making it the device you also use to scan codes. In all likelihood, businesses will use links over QR codes. Few people are using a second phone to scan a QR code on their first phone.
A fake QR code on social media might be sent to you via a direct message, or it might come up naturally on your feed. The account that sent or posted the code might appear legit, or it may be obvious that it’s not to be trusted if it has little to no posts, many typos, or odd content.
9. Fake QR Code Scanning Apps
There are many QR code scanning apps available on the app store. Most are fine, but there can be fake apps that, once downloaded, install malware onto your device. This malware can potentially steal your phone’s data and reduce your phone’s performance ability.
How Can You Tell if a QR Code Is Fake?
In a perfect world, there would be a way to tell if a QR code is fake or not just by looking at it. Unfortunately, due to the detailed nature of the codes, this is nearly impossible if you’ve seen the code before and entirely impossible if you haven’t. Even if someone generates a QR code themselves, it will look as real as any professional one.
So, how can you tell if a code is real or not?
Look at the Starting Link
When you scan a QR code on your phone’s camera, the link of the website it’s taking you to will pop up under the code. This is what you click to go to the site.
There are a few things to look for that might indicate the code is fraudulent:
- Words are misspelled (if it says Restarant instead of Restaurant)
- The site ends in something other than .com, .org, .gov, or .edu
- The link is extremely short (or it doesn’t seem like a full website URL)
None of these things are 100% indicators of a scammy code, but they should wave red flags and set off warning sirens in your brain. If the link seems off and you’re at a physical location, you can always ask the staff to verify it’s the right link.
Check for Tampering
If you’re in a physical location, a common tactic scammers use is putting a sticker of their QR code over the real one. Before you scan, check to see if it looks like there are any sticker edges around the code. This can be hard to determine, though, because many real restaurants and businesses will use a sticker of sorts themselves for their real code.
If the code you’re using at a restaurant for the menu is at your table, you could check other tables to make sure they all look the same. Chances are a scammer won’t have a chance to stick their code on every single table. As always, check with the staff if you have any concerns.
Examine the Website Carefully
If the pop-up link seems fine and there’s no obvious sticker or tampering evidence, you will probably go ahead and click on the link. As stated above, for many QR code scams, just opening the website isn’t enough to cause any damage.
You will usually have to click an additional link or image for malware to install, and you will have to enter and send your information for a phishing attack to work. This means it’s time to examine the website with your best sleuthing skills.
Make sure the website seems professional (no obvious spelling/grammar mistakes, high-resolution images, a title with a drop-down menu, or a restaurant menu that matches the place you’re at). Overall, use your best judgment. If something feels suspicious, it’s better to be safe than sorry.
If the website does feel off, ask any staff that might be present. If you got the QR code from an email, package, or some other place online, see if you can find the same site by doing a Google search.
You can also look at the website URL itself. If there is a lock symbol in front of the address or if the address begins with https., it’s much more likely to be secure and totally fine. Scam sites may use http (without the “s”) to appear more realistic.
Look Out for Urgent Calls to Action
Most of the time, no real website is going to continually pressure you to submit information. There might be boxes to enter your email and phone number, but there shouldn’t be any pressure to do so immediately.
Most phishing scams will strongly encourage, if not demand, that you provide them with personal information this very second. If there are any scare tactics (like threats about what happens if you fail to comply) or time limits on your submission, it’s likely a scam site.
Verify With the Company or Staff
If at any point while scanning a QR code or navigating the site, it leads you to something that seems off, you can always contact the company directly. Real sites belong to real companies that have contact information available online. Call, email, or if you’re somewhere in person, talk to someone who can confirm the site is legit.
Avoid Downloading QR Code Scanning Apps
Since all smartphones come with built-in QR code scanners through the camera app, you will never need to download a QR code scanning app. By avoiding these apps, you avoid the risk that you download something malicious instead.
Never Scan QR Codes From a Stranger
You may come across people on the street who are handing out flyers or promotional materials for an organization they’re part of or a product they’re advertising. For example, independent artists might give out QR code stickers to advertise their music or paintings. You might also be sent QR codes by someone online for the same purpose.
The safest rule to follow is to never scan a code you get from someone you don’t know. Even if they seem really cool and you want to support them, don’t do it. You can always ask if they have social media or a website you can follow them on instead.
What To Do if You Experience a QR Code Scam
If you accidentally end up sending personal information to the wrong people or click on a link from a QR code that downloads malware onto your device, don’t panic. There’s always a way to fix it.
If you see that your phone is glitching a lot, or if you see unauthorized payments in your account, or even if you go back to the site and realize it was fake all along, don’t wait to take action.
Change Your Passwords
Especially if you use your login information on a fake website, you should immediately change your passwords to critical accounts. If the hacker knows a username and password you use for multiple accounts, they have access to everything in those places. By changing your passwords, you can lock them out and protect your accounts from further damage.
It’s also smart to use a strong password when resetting to reduce the chances it’s hacked or guessed in the future. For extra protection, set up two factor authentication on your most valued accounts.
Freeze Your Credit Cards
If you’ve entered financial information into a fraudulent website after scanning a QR code, you should notify your bank and freeze your cards. This way you can resolve the issue by getting a new card before the hacker has a chance to buy things with yours.
Block the Website and Report the Scam
Like with any nefarious website you encounter, you should always block the site through your Internet browser or device. You can also report the attempted scam through the Federal Trade Commission so that site is flagged in their system.
Scan Your Device for Malware
If you think the issue might be malware and not a personal information leak, you might want to check out antivirus software to scan your device for viruses and the like.
Back-Up Important Data
You never know just how far malware can go to infect your phone. In the event that malware leads to data theft or loss, it’s a good idea to back up your most important files, photos, and videos as soon as you think you’ve been hacked.
Keep a Look Out for Other Issues
The world of digital fraud is sometimes complicated; even if you only notice a drop in your phone’s performance at first, that doesn’t mean the problem’s over. If you fall victim to a QR code scam, it’s a good idea to monitor all of your essential accounts to be sure no unauthorized activity or purchases appear later on.
Protect Yourself From QR Code Scams
There is no one way to stay 100% protected from QR code scams. Hackers and cybercriminals are creative, and they come up with new ways to trick people into falling for their scams every day.
That said, you can certainly make sure you’re keeping up with and following cybersecurity best practices. This way, you and your phone will be as protected as possible in the event of a hack.
- Use strong, diverse passwords for all accounts (12+ characters, uppercase, lowercase, special characters).
- Exercise caution and suspicion when opening things from an unknown source.
- Never give out your personal information online unless you’re 100% confident the website is legitimate.
- Use a second phone number app like Burner and give out that number in place of your real one. If you give your Burner phone number to a phishing scammer after scanning a QR code, you just have to delete your second number and get a new one (instead of notifying all of your main contacts of a number change).
- Never click on an unknown link.
- Keep your software updated.
- Always use your best judgment when online (if something seems suspicious, it probably is).
Following these basic cybersecurity best practices will help boost your phone’s security and minimize the damage that can be done if you’re hacked. Even if you don’t regularly scan or use QR codes, it’s still a good idea to follow these basic tactics to protect your phone from a variety of online scams.
QR Code Scams in Review
Follow the tips and tricks outlined in this article to keep yourself protected from QR code scams. Check for stickers, weird links, urgent calls to action, and anything that strikes you as suspicious. Never scan codes from strangers, and if you get hacked, don’t wait to take action.
Most QR codes will be fine and actually extremely helpful, so just keep a look out for the red flags we’ve identified here. Happy scanning!
Sources:
Introduction to QR codes – Digital.gov
Five common QR code scams – Microsoft 365
Malware: How To Protect Against, Detect, and Remove It | Consumer Advice
