QR Code Scams: Think Before You Scan

Publication date: Aug 21, 2023

Last Published: Aug 21, 2023

Table of Contents
Read Time : 6 minutes

It’s predicted that the number of US smartphone users scanning a QR code will jump from around 83 million in 2022 to more than 99 million in 2025. As QR codes weave their way into our daily routines, they’re also catching the eye of cybercriminals. While most of us view QR codes as gateways to promotions, menus, or websites, these crooks see them as attack vectors, using them to execute sophisticated QR code scams.

What Are QR Code Scams?

QR codes, those familiar black and white squares, are everywhere these days.

These “Quick Response” codes seamlessly connect the physical and digital worlds, ushering users to websites, videos, product info, and more with just a quick scan.

But not all QR codes are created equal. QR code scams are deceptive codes leading users not to a genuine website or deal but to malicious sites or harmful downloads. Think of them as wolves in sheep’s clothing. Instead of a menu or promo, you might be directed to a phishing site, be prompted to download malware, or even tricked into making unauthorized payments.

Unfortunately, QR code scams are not some fleeting trend.

They have become such a prevalent threat that significant bodies have taken notice and raised alarms.

The FBI has issued a PSA warning consumers of the risks involved, the Michigan Attorney General’s office published a consumer alert on the dangers of these deceptive codes, and the BBB also raised a red flag with their scam alert.

Yet, despite the extensive warnings, many people still don’t know how QR code scams work. This gap in cybersecurity awareness is dangerous, serving as an open invitation to cybercriminals. But with the right information and a proactive approach, this gap can be easily bridged, turning potential victims into well-informed defenders of their digital lives.

How Do QR Code Scams Work?

QR code scams, though diverse in their execution, follow the same pattern to deceive and exploit:

  1. Creation of a malicious QR code: Scammers design a QR code that, for example, redirects users to a deceptive website or prompts the downloading or direct execution of malicious software when scanned. The tools to create these codes are easily accessible and don’t require deep technical knowledge.
  2. Strategic placement: The rogue QR code is placed where potential victims are likely to scan it. This could be on public advertisements, in store windows, or even by replacing legitimate QR codes with tampered ones.
  3. Scanning by the victim: The unsuspecting victim scans the QR code. Once scanned, the victim is led to a malicious endpoint, such as a phishing site that mirrors a trusted platform, asking them to input sensitive information, or a prompt to download something that seems useful but is, in reality, malware.

Often, QR code scam victims don’t realize they’ve been duped until they face unauthorized charges on their accounts or when they receive suspicious activity alerts. Furthermore, the blame doesn’t always land on the actual culprits. Many times, victims associate the rogue QR code with the business or organization where it was placed.

Common QR Code Scams Explained

As we’ve already mentioned, QR code scams can take on many forms, and cybercriminals are continuously finding new ways to exploit this attack vector for their gain. Let’s take a look at some of the most common QR code scams we’re seeing today:

  • Quishing: These scams involve email messages sent by seemingly legitimate senders. You might be told a payment didn’t process or there’s a special offer waiting. Once you scan the attached QR code, you’re redirected to a fake website.
  • Contactless payments: QR codes enable convenient contactless payments in places like parking lots or restaurants. The problem is that this convenience can be exploited by scammers who place fraudulent QR codes to redirect funds to their own accounts.
  • Fake utility bills: Scammers often pose as utility companies or government agencies. Claiming you missed a payment, they threaten dire consequences, such as service shut-offs. The twist? They conveniently provide a QR code that allows you to immediately “correct” your mistake.
  • Trojan packages: Random package at your doorstep with a QR code inside or on it? Watch out. Some crooks send unsolicited parcels, urging recipients to scan the QR for details or returns. In doing so, victims are typically redirected to phishing sites or directly infected with malware.

Related: For a deeper understanding of what it takes to stay secure online, dive into this informative guide on cybersecurity threats.

How to Spot a QR Code Scam?

Never scanning any QR code isn’t a real solution to the threat of QR code scams. QR codes have become an integral part of our daily lives, so avoiding them entirely would be like avoiding the internet because of cyber threats—impossible.

But here’s the good news: most QR code scams can be avoided by following a handful of simple yet effective best practices:

  • Always check for signs of tampering. Before scanning a QR code, especially one that’s on a physical product or document, examine it closely for any signs of alterations. This could include stickers placed over the original code, visible erasures or modifications, or any signs that the code might have been replaced.
  • Use a secure QR code scanner instead of the camera app. There are specialized QR scanners available that provide an extra layer of security. Apps like Trend Micro’s QR Scanner, Sophos Mobile Security, and Kaspersky’s Secure QR Scanner are built to not just decode but also validate QR codes, ensuring you’re directed to a safe destination.
  • Consider available alternatives to scanning the QR code. As convenient as QR codes are, sometimes the risk associated with their use isn’t worth the convenience. Before scanning a QR code, think about other ways to get the same information or service.
  • Avoid randomly placed QR codes like the plague. Scammers sometimes place malicious QR stickers in random places, hoping that an unsuspecting individual will scan them out of curiosity. These can be found anywhere from public restrooms to transit stations or even on the back of chairs in waiting areas.
  • Trust your instincts. If something feels off or too good to be true, it probably is. QR codes offering deals that seem unrealistically favorable or that promise huge rewards for little to no effort are likely to be scams, and the same can be said about QR codes that ask for too much sensitive information.

By staying alert and following these best practices, you can enjoy the convenience of QR codes while minimizing the risks.

Conclusion on QR Code Scams

Since their invention in 1994, many use cases for QR codes have emerged. But just like virtually every tool in the world, these two-dimensional barcodes can be used for both good and bad. By staying informed and adopting the QR code scanning best practices described in this article, you can harness the benefits of QR codes while safeguarding yourself from potential harm.

Contact us to learn more about your business staying safe and secure into the future.

Related Posts: